- As healthcare data security incidents become more sophisticated, covered entities and their business associates are attempting to develop security procedures that better manage hospital ransomware threats.
With the help of several government agencies, organizations are working to establish protocol for preventing and recovering from ransomware attacks.
Ransomware is malware that will prevent access to data or encrypt it. A crypto ransomware threat will encrypt an organization’s data and demand payment in exchange for a decryption key while locker ransomware stops an organization from accessing its systems.
In a ransomware incident, an organization is typically denied access to specific parts of its system, which are usually used for critical operation of the business. Cybercriminals demand that the organization pay a ransom in order to regain access to its systems.
While cybercriminals may promise to release the data after a ransom has been paid, there is no guarantee that organizations will be able to regain control of their systems or data.
Why should healthcare organizations care about ransomware?
For healthcare providers, it is crucial that organizations maintain control over EHR systems, which contain critical patient information. In the event of a ransomware attack, healthcare providers are faced with serious challenges to patient safety, healthcare data security, and normal operation.
For example, Medstar Health, a healthcare system in the DC area, was reportedly the victim of a ransomware attack in March. After several employees reported that they could not access their computers, an outside entity allegedly demanded MedStar Health to pay 45 bitcoins, which is approximately $19,000, for a key to decrypt its data.
MedStar Health, which runs ten hospitals and 250 outpatient facilities, shut down its EHR and email systems to contain the threat. As a result, the healthcare system had to switch to a paper system and reduce patient volumes for several days.
Later, several news sources reported that the attack on MedStar Health was caused by a known security vulnerability in an application server. The healthcare system reportedly failed to update a patch for the system, which left its JBoss application server susceptible to ransomware.
In February, Hollywood Presbyterian Medical Center reported that it paid about $17,000 to hackers after a ransomware attack. In order to decrypt patient information on its EHR system, the medical center agreed to pay the ransom to quickly reestablish normal operations.
It has also become easier for healthcare employees to download ransomware, especially with the prevalence of connected healthcare devices, such as smartphones, tablets, and the Internet of Things. Ransomware can be downloaded by falling for a phishing scam, clicking on a malicious website, or opening an attachment in a seemingly legitimate email.
“Ransomware criminals concern themselves with what they can disrupt,” reported a recent study by ICIT. “Business operations grind to a halt until the system is restored or replaced. Moreover, unlike traditional malware actors, ransomware criminals can achieve some profit from targeting any system: mobile devices, personal computers, industrial control systems, refrigerators, portable hard drives, etc.”
While ransomware threats are not new, the healthcare industry has recently been a top target for cybercriminals looking to steal EHRs. Patient information has become more valuable than stolen credit card information because individuals cannot change their identity like they can replace a credit card.
Stolen EHRs can also fetch up to $470 per record, reported National Public Radio last year.
What should an organization do to prevent and respond to ransomware attacks?
Despite the situation at Hollywood Presbyterian Medical Center, several government agencies have released ransomware warnings that discourage organizations from paying cybercriminals.
Earlier this month, the Federal Bureau of Investigation (FBI) issued an alert to all industries about ransomware threats.
“Paying a ransom not only emboldens current cybercriminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity,” wrote FBI Cyber Division Assistant Director James Trainor in the alert. “And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
The FBI urged organizations to focus on prevention efforts, such as employee training and implementation of technical safeguards. The agency also encouraged businesses to develop comprehensive data security frameworks that include regular updates of digital services and products, installation of antivirus and anti-malware solutions, and ensuring that security policies are known throughout the organization.
Similarly, the Department of Homeland Security released a ransomware warning through the US Computer Emergency Readiness Team (US-CERT). The warning emphasized that organizations that use networked systems are particularly susceptible to malware threats.
The department recommended that businesses establish ransomware recovery procedures, such as backing up all critical information and disabling macros from email attachments. The warning also explained that organizations should enable application whitelisting, which prevents unapproved programs from running.
In addition to government alerts, some states have taken it into their own hands to manage ransomware attacks.
For example, the California Senate Public Safety Committee approved ransomware legislation in April that detailed how the crime would be prosecuted. Under the proposed law, cybercriminals may face two to four years of imprisonment at a county jail and a fine of up to $10,000.
“Sadly, ransomware attacks are increasingly common,” said Senator Robert Hertzberg in a statement. “Basically, this is an electronic stickup. We need to make clear that intentionally using ransomware is a very serious crime that will not be tolerated and will be prosecuted, just like any stickup. That’s what this legislation does.”
With highly-publicized incidents and official alerts, ransomware has taken center stage in terms of data security.
For many healthcare organizations, it should be a question of when, not if, ransomware will target them.
To prevent a data security incident, providers and their business associates are encouraged to review their healthcare data security policies to ensure that ransomware threats are properly addressed.