At the start of his shift, the hospital IT Director takes a sip of coffee and fires up his computer as he gets organized for the day. His team is in the middle of handling a major update, and he is anxious to ensure everything goes smoothly. But instead of a start-up screen, he sees a message.
The hospital’s computer systems have been hacked. Pay up within 7 days to get the key to release your files. If you do not pay, you will permanently lose access to your files.
Without access to the hospital’s electronic health records, medical teams will have to rely on paper charts and patient memories for clinical decisions, and the financial and operations teams will come to a screeching halt as resources are diverted to manage this crisis.
He rushes to huddle his team together to craft a plan of attack that will restore access to hospital data as quickly as possible. The well-being of patients could be at stake.
It sounds like the plot of a straight-to-television film, but ransomware threats to hospitals and patients are very real, very serious, and becoming more common.
Hospitals are targeted by ransomware attacks more often than any other type of business. In fact, 88 percent of ransomware attacks are directed at hospitals, according to Solutionary, an NTT Group security company.
So what is ransomware, anyway? And what can hospitals do to protect themselves from attack?
More and more, hackers are using malicious software (malware) to infiltrate hospital systems, lock or encrypt the facility’s files—including patient health records and financial information—and hold it hostage. Hospitals are instructed to pay a ransom in cryptocurrency such as Bitcoin, often worth thousands of dollars, in exchange for the key to release the data. WannaCry and Petya are well-known recent examples of this.
While some hackers exploit lax cybersecurity practices at hospitals to plant ransomware on their own, employees often are an easy access point through email phishing scams. A recent study showed that 78 percent of healthcare employees lacked proper cybersecurity training and awareness.
Why are hospitals such a hot target for ransomware? There are a few reasons:
The fallout from a hospital data breach can be significant, including potentially serious effects for patients, financial and legal repercussions, operational expenses, and reputation damage. The cost of a data breach for healthcare facilities is about $408—per patient record—says a new Ponemon Cost of a Data Breach Report.
Between April and June 2018 alone, the Protenus Breach Barometer reported that more than 3.14 million healthcare records were exposed by data breaches at just 142 hospitals. Do the math per hospital, and it quickly adds up millions of dollars in costs.
In addition, patient attrition is a major concern—more than half of hospitals patients would switch providers following a data breach, says a survey from TransUnion Healthcare.
The good news is, hospitals can take steps to prevent ransomware attacks. Todd Williams, MEDHOST Manager of Security Operations, advises improving employee cybersecurity training and a layered approach to cybersecurity so that when physical safeguards fail, logical safeguards are in place, as well as end-user and access point protections.
After all, 75 percent of cybersecurity incidents stem from accidental insider threats. In fact, HIMSS Analytics reports that email is by far the No. 1 culprit for ransomware attacks.
Teach employees to avoid becoming “patient zero” in a data breach by thinking before they click. Train them to recognize dubious emails, hyperlinks, or attachments; never to use hospital computers for personal reasons; and to report phishing or suspicious activity immediately. Read more about how cybersecurity is a social responsibility here.
In addition to regular training for employees, hospitals should implement additional cybersecurity practices:
The Protenus Breach Barometer showed that for hospital teams responsible for responding to insider threats, one investigator monitors an average of nearly 4,000 employees across 2.5 hospitals. For many hospitals, including small or rural facilities, having the support of a partner like MEDHOST is critical.
Hospitals leveraging extensive automated security technology saved more than $1.5 million on the total cost of a data breach, according to the Ponemon report. And the quicker the data breach resolution, the lower the cost as well.
At MEDHOST, security is paramount, so there is no sliding scale on our security services. It’s part of the package. Everything we do for our customers, we also do for ourselves: the same tools, the same policies to monitor, audit, and alert us to data access anomalies with behavioral analytics against structured and unstructured data.
Here is a snapshot of the efforts we put in to protect our customers and ourselves from cyberattacks: