How hospitals can defend data and patients from ransomware attacks.
Ransomware has come a long way since the first attack at an international AIDS conference, where each victim had to pay $189 to regain access to their computer. Now, hackers are demanding higher ransoms from healthcare organizations that have more to lose.
Last month, Hancock Health, a healthcare network in Indiana, paid hackers $55,000 in ransom to unlock its systems. Previously, the California-based Center for Orthopedic Specialists (COS) and Hawaii’s Fetal Diagnostic Institute of the Pacific were both hit by ransomware attacks, potentially leaking the data of more than 100,000 patients.
For healthcare organizations, there is more at risk than the cost of ransom, cancelled treatments and the loss of business due to a tarnished reputation. They must face critical interruptions in medical services that can disturb client care, causing harm to patients.
Losses resulting from cyberattacks, exposing tens of millions of customers’ personal healthcare information around the world, are estimated to be as high as $1 billion. But even more disturbing is the risk to patient safety. According to recent research, more than 2,100 patient deaths per year are linked to data breaches at hospitals.
Ransomware attacks typically lock out doctors and nurses from patients’ records, bringing digital communications to a standstill. Hospital employees are forced to switch to manual methods of patient care, which are too time-consuming, given the high patient-to-caregiver ratio. Often, patients must scramble to look for alternative hospitals to provide the necessary tests or treatments.
Take, for example, the infamous WannaCry ransomware attack, which resulted in 20,000 canceled appointments for medical treatments and affected as many as 70,000 devices, including computers and MRI scanners, many of which were shut down manually to prevent them from being negatively impacted. This attack was a painful wake-up call to the healthcare industry, showing the importance of full visibility into medical devices, considering the amount of damage hackers did — even when they didn’t deliberately target hospitals.
Due to the overwhelming publicity surrounding successful ransomware attacks and the amount of ransom hospitals are now prepared to pay, it’s certain that more healthcare facilities and their medical devices will be targeted in the future. It’s not a matter of “if” but “when.”
Educating and training employees about security and phishing is the primary approach the industry is taking to minimize ransomware attacks. However, due to the increased risk, medical organizations need to apply stringent security policies to all of the digital medical devices deployed throughout all different departments as well.
This is not as simple as it sounds. Many security officers today don’t have visibility into equipment information managed by biomedical engineers. An important first step can be something as basic as maintaining a complete list of all of the medical devices, with all of their key characteristics and how they are connected to the network. This isn’t a one-time activity but rather something that must be done on an ongoing basis as devices are moved, retired or added to the network.
Once a full inventory is taken, then there are certain basic precautions that should be followed. For example, making sure all equipment has the latest versions for software and patches and restricting access to the most vulnerable devices.
To prevent an attack from spreading to medical devices, it’s a good idea to make sure medical equipment with similar levels of risk are on the same segment and can only communicate with computers that are essential to operate properly. Also, connections to potentially less secure devices, such as software integrations with third parties or manufacturers for predictive maintenance, should be monitored closely.
Ransomware attacks will only become more frequent and possibly more severe in the future. Verizon’s annual Data Breach Report for 2018 estimates that ransomware is included in 85 percent of the successful malware attacks against hospitals. Due to the increased popularity and publicity of these attacks, hackers will surely continue to find creative ways to monetize on the potential panic of healthcare organizations and their patients. Only the collaboration of security and healthcare professionals can protect medical devices to prevent an organization’s reputation and their patients’ health from being held ransom.
Leon Lerman is co-founder and CEO of Cynerio.
Get the best insights in healthcare analytics directly to your inbox.