The April edition of AHIMA Journal published an interesting article regarding ransomware attacks to hospitals and reported that the last known attack had been resolved internally by just paying the ransom to the attacking hackers.
Often times internally resolving such conflicts is better off than reporting it and losing revenue in the down-time that it would take to properly restore the data being compromised. In addition, vital up-to-date information can become a matter of life and death to patients when this information is blocked to healthcare providers. What the victimized hospitals are essentially paying for is a decryption key giving full access to the rightful owner.
Over the past few months, Methodist Hospital, MedStar Health and most recently, Hollywood Presbyterian Health have become victims of this malware trend with Methodist having reported to have had a backup of their files restored. While the Hollywood Presbyterian attack resulted in the hospital paying the ransom, MedStar was the only system whose IT department was able to spot the malware attack as it was occurring.
Cybersecurity is not held with the same regard as HIPAA compliance. While hospitals are more concerned with making sure that they are compliant, very little is spent towards training employees on how to avoid downloading malware, or creating standard procedures on how to avoid, or prevent cyber-attacks. In many cases, the weakest link are the untrained system users. A good start to shoring up hospital security would be to provide hospital staff with: basic training on how to spot foreign, or potentially dangerous emails; how to set up a solid password protocol; and ensuring that the IT department always has a robust antivirus and malware policy. The key to most cybersecurity is non-stop vigilance across the board.
Despite the fact that ransomware attacks are on the rise (from 100,000 in January 2014 to 600,000 by December of 2014), no significant investments have been put aside to add to IT departments to improve this area of concern. According to Michael Williams, CEO at Global Healthcare IT, “a larger involvement from the federal authorities is unlikely until a more catastrophic situation occurs. For example, where malware locked a hospital system and directly led to the death of a patient.” That is likely to trigger a more concerted effort to catch the extortionists. The difficulty lies in the fact that many of the perpetrators live outside of the jurisdiction of US authorities and generally try to avoid locking the patient critical systems. Over the foreseeable future hospital cyber-attacks are likely to be an increasingly regular, unwelcome reality.