Why Your Hospital Should Never Have to Pay Ransom
Is your hospital prepared for a cyberattack? If not yet, consider it a matter of time before it happens. Unfortunately, in today’s fast-paced world of evolving technology, it is inevitable that hospitals are victims of cyberattacks.
In the information era, cybercrime is one of the criminal underworld’s biggest growth industries and the healthcare industry has been a target for decades. In the past year, health data security exposures have doubled; it isn’t a question of if your hospital will be targeted, but when.
The inevitability of a cyberattack is a scary reality, making October an appropriate time of year for National Cybersecurity Awareness Month. During this month, which also includes Healthcare Security and Safety Week, people from all across the IT world join together to shed more light on the dark tricks cybercriminals play.
Stolen protected health information (PHI) is a real nightmare for healthcare organizations (HCOs) that can cost them millions. However, one week out of the year is not the only time for re-education and preparation for a cyberattack. Hospital leadership—especially at the CIO level—need to be evaluating the permeability of their healthcare IT (HIT) infrastructures year-round.
The Anatomy of a Healthcare Cyberattack
Whether through compromised credentials or a vulnerability in your HVAC system, once a malicious program gets into your healthcare IT network it can quickly spread to other systems. Information is locked away, peripheral systems shut down, and protected data goes public.
Ransomware is one of the leading tactics cybercriminals employ to attack healthcare facilities. Patient health data carries a hefty price tag on the black market and once it is encrypted and inaccessible, a provider could be crippled.
Selling patient data and blackmailing hospitals to pay a ransom in exchange for the stolen data pays well. The problem is that once the ransom is paid, the threat doesn’t go away. Cybercriminals who know they can get money from a facility will likely target that hospital again.
“A HCO should never pay a ransom,” says MEDHOST Chief Information Security Officer, Michael Johnson. “Once you pay, you become a target. If a hospital is practicing proactivity in every facet of their cybersecurity strategy, they should never be in the position where they would need to pay a ransom.”
Since cybercrime has evolved and become more complex, an equally complex and proactive approach to healthcare cybersecurity is required to keep up with attacks.
4 Critical Components for a Healthy Cybersecurity Strategy
In order to build awareness and educate hospitals, our HIT specialists have identified four key components that can help support a proactive healthcare cybersecurity strategy.
1. A Well-Designed IT Architecture
Architecture, or the construction of your information technology infrastructure, is the keystone or foundation for all of the proactive cybersecurity tips listed here.
Varying levels of redundancy—duplicating network components—are core essentials to a healthcare IT architecture. Duplicating components used to manage and protect an integrated HIT network is important for a number of key reasons. Redundancy helps:
- Create safe maintenance windows
- Eliminate downtimes during maintenances
- Speed recovery in the event of data loss
Architectural redundancy is important because it allows a hospital to proactively perform system maintenance without experiencing downtime.
When a hardworking EDIS (Emergency Department Information System) with zero redundancy requires maintenance, it will need to go offline for an undisclosed amount of time. Without a functioning EDIS, your emergency room is forced to regress to a paper-based records system. In today’s fast-paced, consumer-driven healthcare landscape, a paper-based system is not optimal for facilitating effective care in an environment that depends on speed and accuracy.
2. Regular Patching
As cybercriminals become smarter, hospitals cannot afford to skip on routine HIT maintenance, which includes updating with the latest security patches. Keeping hardware and software security features current is a critical for helping HCOs battle a constantly evolving online adversary.
One of the main reasons we see hospital systems not updated with the most recent patches relates to a lack of redundancy. Healthcare is a 24/7 business. If there is only one system supporting the entire hospital and it needs to go down for maintenance, how long can the facility afford to lose access to critical information? Redundancy helps makes sure that if one system is down for patching, there is another that can handle the workload.
Regular patching is like a preventive inoculation for a HIT system against nasty worms and other malicious programs. Patches take form in two ways: the traditional system updates and consistent cybersecurity training for hospital personnel.
If a hospital’s best intentions to proactively patch fail, the digital lifeblood of the organization then comes down to backups and recovery.
3. Recovery and Backup Planning
A recovery plan that includes a reliable backup schedule helps hospital reduce their risk in the event of a breach. Backups make it possible for hospitals to destroy what has been infected and recover systems by rolling back servers to a previously healthy state.
In the event of a ransomware attack and successful breach, a hospital without a viable healthcare technology recovery plan or reliable EHR host has three options: live with the data loss, attempt to pay the ransom (neither of those recommended), or attempt to recover the data yourself.
So which option is best?
None of them because they can all cost vital hospital resources. Having a plan in place can help hospitals reduce the likelihood of long service interruptions caused by an attack.
A good backup plan can be quantified by four factors:
- How many other redundancies are in place?
- How often is data being backed up to these secondary or tertiary systems?
- How fast can data be recovered?
- How recent are recovered data packages?
A system hosted by MEDHOST and managed by our team of HIT specialists can be rolled back four hours prior to a data loss event. Recoveries carried out by our team usually occur with minimal downtime and impact on hospital operations.
4. Software and Hardware Investments
Lastly, practicing proactive cybersecurity is an important business investment. The most advanced equipment and software will offer the highest level of resiliency, but often comes with a heftier price tag. Add a highly segmented architecture with firewalls, multi-factor authentication features, and other intrusion prevention systems, and hospitals are looking at not only more costs, but more required IT resources.
Many healthcare organizations cut the cost of proactive cybersecurity by working with a knowledgeable partner who can do much of the heavy lifting for them. Outsourcing technology services through a sophisticated host who offers 24/7 monitoring can have huge benefits for a hospital’s overall cybersecurity health. Most HIT vendors who specialize in EHR hosting are well-suited to help protect against sophisticated online adversaries.
As part of MEDHOST Direct, our EHR hosting service, we adhere to a strategy of proactive protection for all of our healthcare partners. A commitment to keeping our hosted systems on the cutting-edge of cybersecurity prevention helps us make sure hospitals are not put in a position where they would have to pay a ransom.
Protect your healthcare facility from ransomware and you won’t have to negotiate with cybercriminals.