• Politics
  • Diversity, equity and inclusion
  • Financial Decision Making
  • Telehealth
  • Patient Experience
  • Leadership
  • Point of Care Tools
  • Product Solutions
  • Management
  • Technology
  • Healthcare Transformation
  • Data + Technology
  • Safer Hospitals
  • Business
  • Providers in Practice
  • Mergers and Acquisitions
  • AI & Data Analytics
  • Cybersecurity
  • Interoperability & EHRs
  • Medical Devices
  • Pop Health Tech
  • Precision Medicine
  • Virtual Care
  • Health equity

Your MRI Is Hacked: Transfer $100K in Bitcoin, Please

Article

How hospitals can defend data and patients from ransomware attacks.

healthcare ransomware,ransomware hospital,healthcare cyberattack,health it security

Ransomware has come a long way since the first attack at an international AIDS conference, where each victim had to pay $189 to regain access to their computer. Now, hackers are demanding higher ransoms from healthcare organizations that have more to lose.

Last month, Hancock Health, a healthcare network in Indiana, paid hackers $55,000 in ransom to unlock its systems. Previously, the California-based Center for Orthopedic Specialists (COS) and Hawaii’s Fetal Diagnostic Institute of the Pacific were both hit by ransomware attacks, potentially leaking the data of more than 100,000 patients.

>> READ: WannaCry Virus Attack Stresses Healthcare’s Need to Fortify Defenses

For healthcare organizations, there is more at risk than the cost of ransom, cancelled treatments and the loss of business due to a tarnished reputation. They must face critical interruptions in medical services that can disturb client care, causing harm to patients.

What’s Really at Risk in a Ransomware Attack?

Losses resulting from cyberattacks, exposing tens of millions of customers’ personal healthcare information around the world, are estimated to be as high as $1 billion. But even more disturbing is the risk to patient safety. According to recent research, more than 2,100 patient deaths per year are linked to data breaches at hospitals.

Ransomware attacks typically lock out doctors and nurses from patients’ records, bringing digital communications to a standstill. Hospital employees are forced to switch to manual methods of patient care, which are too time-consuming, given the high patient-to-caregiver ratio. Often, patients must scramble to look for alternative hospitals to provide the necessary tests or treatments.

Take, for example, the infamous WannaCry ransomware attack, which resulted in 20,000 canceled appointments for medical treatments and affected as many as 70,000 devices, including computers and MRI scanners, many of which were shut down manually to prevent them from being negatively impacted. This attack was a painful wake-up call to the healthcare industry, showing the importance of full visibility into medical devices, considering the amount of damage hackers did — even when they didn’t deliberately target hospitals.

Due to the overwhelming publicity surrounding successful ransomware attacks and the amount of ransom hospitals are now prepared to pay, it’s certain that more healthcare facilities and their medical devices will be targeted in the future. It’s not a matter of “if” but “when.”

Good Hygiene for Medical Devices

Educating and training employees about security and phishing is the primary approach the industry is taking to minimize ransomware attacks. However, due to the increased risk, medical organizations need to apply stringent security policies to all of the digital medical devices deployed throughout all different departments as well.

This is not as simple as it sounds. Many security officers today don’t have visibility into equipment information managed by biomedical engineers. An important first step can be something as basic as maintaining a complete list of all of the medical devices, with all of their key characteristics and how they are connected to the network. This isn’t a one-time activity but rather something that must be done on an ongoing basis as devices are moved, retired or added to the network.

Once a full inventory is taken, then there are certain basic precautions that should be followed. For example, making sure all equipment has the latest versions for software and patches and restricting access to the most vulnerable devices.

To prevent an attack from spreading to medical devices, it’s a good idea to make sure medical equipment with similar levels of risk are on the same segment and can only communicate with computers that are essential to operate properly. Also, connections to potentially less secure devices, such as software integrations with third parties or manufacturers for predictive maintenance, should be monitored closely.

Ransomware attacks will only become more frequent and possibly more severe in the future. Verizon’s annual Data Breach Report for 2018 estimates that ransomware is included in 85 percent of the successful malware attacks against hospitals. Due to the increased popularity and publicity of these attacks, hackers will surely continue to find creative ways to monetize on the potential panic of healthcare organizations and their patients. Only the collaboration of security and healthcare professionals can protect medical devices to prevent an organization’s reputation and their patients’ health from being held ransom.

Leon Lerman is co-founder and CEO of Cynerio.

Get the best insights in healthcare analytics directly to your inbox.

Related

Cybersecurity Is Undervalued. But That Might Change Soon.

Healthcare Needs Tech That Empowers Physician Leaders

Defending Your Data from the Dark Overlord

Related Videos
Image: Ron Southwick, Chief Healthcare Executive
Related Content
Image credit: ©tippapatt - stock.adobe.com

Healthcare mergers may face more questions about cybersecurity

April 18th 2024
Article

In the wake of the Change Healthcare attack, regulators may look more closely at protections for data privacy as they examine deals, experts say.

The rise of third party cyberattacks in healthcare | Data Book podcast

The rise of third party cyberattacks in healthcare | Data Book podcast

March 11th 2024
Podcast

Dan Dodson, the CEO of Fortified Health Security, talks about the risks to hospitals, AI in attacks and defense, and what health systems can do to protect themselves.

Image credit: American Hospital Association

Change Healthcare cyberattack: Health leaders ask Congress for help with cybersecurity

April 17th 2024
Article

During a House panel hearing on the attack, hospital and health industry leaders urge lawmakers to help deal with attacks from ransomware groups.

Hospitals face evolving threats from cyberattacks | Data Book podcast

Hospitals face evolving threats from cyberattacks | Data Book podcast

December 7th 2023
Podcast

Michael Hamilton, founder and chief information security officer of Critical Insight, talks about trends in attacks and emerging threats in the coming year.

Image: Ron Southwick, Chief Healthcare Executive

Change Healthcare cyberattack: Lawsuits emerge, and more are coming

April 5th 2024
Article

Several suits have already been filed and others are expected due to the ransomware attack that has affected hospitals and providers nationwide.

Image: Ron Southwick, Chief Healthcare Executive

American Hospital Association CEO talks about Change Healthcare ransomware attack and cybersecurity

April 4th 2024
Article

Rick Pollack discussed the cyberattack and its ramifications at the Hospital + Healthcare Association of Pennsylvania Leadership Summit.

© 2024 MJH Life Sciences

All rights reserved.