Thursday, October 13, 2016

Ransomware in Hospitals: What Providers Face When Attacked

Healthcare providers are now discovering they are a soft target for highly sophisticated cybercriminals. It is nearly impossible for ransomware victims to crack a hacker’s crypto keys. The FBI is even on record advising ransomware victims to just pay.

In the July/August issue of, The Journal of Medical Practice Management, Bruno Kelpsas and Adam Nelson authored an article: “Ransomware in Hospitals: What Providers Will Inevitably Face When Attacked,” and describe the following scenario:

One Friday, Sally, a member of a local hospital’s finance team, receives an overdue billing statement from a vendor's email address. Being the end of the month, she considers this email a routine part of billing and reporting. Sally opens the email, as well as the attached contract in Word format. Suddenly, Sally’s monitor turns to a red screen, beginning with the word CryptoLocker.

Sally froze. She had heard about cyber threats in training, but in her trusted vendor's billing statement? Who would be as sophisticated as that? Sally immediately picked up the phone and called the IT department.

Too late.
Sally just experienced a highly advanced cybersecurity breach known as ransomware – this one specifically referred to as CryptoWall (CW). In the following moments Sally, IT, hospital executives, nurses, doctors, and patients will discover valuable database files have been locked. Being a threat to hospital operations and the Emergency Department, patients are moved to another physical facility for care. Typically, the only way for the hospital to regain access to its information is to pay the hacking agent a requested fee using Bitcoin.

Currently, the healthcare industry is responding to compromises on a reactive basis, much like the way in which the financial services industry simply replaces consumers’ credit cards after a retail breach, such as the recent attacks on Target and Home Depot. This security mindset is predicated on a lack of enforcement, the absence of appropriate penalties, and a culture of risk mitigation. Due to this attitude of acceptance, patients are consistently at risk of having their personally identifiable information compromised. To reset how healthcare organizations think about cybersecurity, measures must be taken proactively to protect businesses against impending attacks. Otherwise, breaches are likely to continue until stricter enforcements and penalties are put in place for healthcare companies and stakeholders.

All organizations need a proactive and comprehensive cybersecurity plan. However, although many operations have the “right” plan and necessary hardware, software, and processes in place, the reality is that many do not have the time and resources to implement their response plan and fulfill the necessary documentation requirements for HIPAA, the SEC, and State regulations, in addition to ensur­ing business continuity. Therefore, to get started, healthcare organizations must focus on the four pillars of security:
  • Governance risk and compliance; 
  • Security monitoring and management; 
  • Threat intelligence; and 
  • Incident response. 
Furthermore, organizations must layer their efforts from basic responsiveness to advanced responsiveness, and finally, become preemptive.

Once the strategy is developed and implemented, companies must conduct an internal review and gauge where teams will align with internal security: Be out of the security business, own some of it, or close the gaps. Ensure there is balance between managing the unexpected and current resources.

The healthcare industry is the #1 industry targeted by attackers. It is imperative for organizations to reevaluate the way they approach cybersecurity, rather than resting on their laurels in what is currently seen as the “new normal” security mindset.

The Journal of Medical Practice Management