There seems to be a new headline every week about a hospital or healthcare organization becoming a target of a ransomware attack. Are these incidents on the rise? According to a Ponemon report, criminal attacks like ransomware are the new leading cause of data breach in the healthcare industry, and have risen 125% since 2010.
Ransomware is a specific kind of malware attack designed to hold your data hostage within your own environment until you pay a ransom. In 2016 alone, hospitals across the U.S., Australia and Germany have become victims. Why hospitals? The kind of data healthcare institutions like Hollywood Presbyterian collect from individual patients is particularly attractive to hackers because the records contain much sought-after PHI and PII (personally identifiable information), which goes for a bounty on the black market. In the case of ransomware, a hospital’s patient data is irreplaceable, making it extremely valuable to recover by the institution. And, antiquated IT infrastructures and lack of security awareness at hospitals also plays a role in introducing system vulnerabilities.
In April 2014, the FBI warned in a private notice to the industry that healthcare providers lag behind the financial and retail sectors in cybersecurity, increasing the likelihood of hacks. Ransomware is “definitely a growing threat,” said special Agent Chris Stangl of the FBI cyber division recently.
We’ve rounded up five recent healthcare ransomware incidents that reached the headlines in the past two months.
Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating
“Cyber attacks on hospitals have become more common in recent years as hackers pursue personal information they can use for fraud schemes.”
U.S. hospitals are getting hit by hackers
“In this case, Methodist Hospital refused to pay. It simply shut down the infected part of the computer system, relying instead on backup copies of the information stored elsewhere.”
Ransomware wreaking havoc in American and Canadian hospitals
“Ransomware attacks will ‘wreak havoc on America’s critical infrastructure,” warns a report from the Institute for Critical Institute Technology (ICIT), a nonprofit examining the cybersecurity of public and private infrastructure. “Ransomware is less about technological sophistication and more about exploitation of the human element,” says the report.
2 more Southland hospitals attacked by hackers using ransomware
“The goal of these hackers, said security expert Phil Lieberman, is not to steal data but to merely lock it in place and take away the key.”
Virus infects MedStar Health system’s computers, forcing an online shutdown
“’Even the lowest-level staff can’t communicate with anyone. You can’t schedule patients, you can’t access records, you can’t do anything,’ said one employee who asked that her name not be used because she was not authorized to speak about the incident.”
The slew of recent incidents are leading many to ask if ransomware is considered a data breach under HIPAA guidelines. As this Forbes article discusses, ransomware exists in a gray area because in many incidents PHI is never accessed, rather simply held at bay, so there is technically no breach of PHI data. As such, there is no legal reporting requirement, and therefore many more incidents are likely unreported. Yet, the fact that the confidentiality, integrity and availability of electronic protected health information is called into question suggests this could change in the future.
And we all know what can happen after an actual breach of confidential patient information. The following list of articles reveal the aftermath of a healthcare breach in terms of fines and penalties.
Major health system’s research arm pays $3.9M to settle data breach
“Data security has emerged as a critical issue for health care providers as the amount of medical information stored electronically grows exponentially. The fine is one of the largest ever paid to the U.S. Department of Health and Human Services’ Office for Civil Rights.”
Hospital data breach patients to receive settlement checks
“Nearly 31,000 people whose personal health information – including lab results and body mass indexes – was made available on the Internet will split $7.5 million.”
Fortunately, it’s not all bad news. There are some success stories amid the headlines, which offers insight into how to minimize the impact of a ransomware event and shift the thinking around current security approaches.
Backup routines crucial to disaster, hack rebound
“You ought to have a plan that has regular audits of your processes and ensures you have fresh eyes on what you’re doing and why you’re doing it.”
4 reasons not to pay up in a ransomware attack
“Regularly test the backup to make sure the files are archived correctly. The aftermath of a ransomware infection is not the time to discover that critical files were not being stored or jobs weren’t kicked off in a timely manner.”
Case Study: A CISO’s View of Security’s ‘Paradigm Shift’
“’Organizations need to take the assumption of breach. They need to take the defensive mentality that you’re not just putting in tools, but you are actively protecting assets,’ he says. ‘And by assuming breach, that means you need to be able to know if a malicious pattern has happened with your data.'”
Follow the data to improve security preparedness, hospital CIO says
“Healthcare organizations are subject to about one cyberattack per month, according to the Ponemon Institute, with attacks increasing in frequency and sophistication.”
Interested in learning more about this topic and finding solutions? Download our new white paper: Finding The Right Prescription for Effective Life Science Data Governance.
Interested in learning more about Druva’s single dashboard for backup, availability and governance? Check out these popular resources: