Why health systems must take ransomware protection seriously
by Sara Nguyen
Ransomware is software that encrypts a network’s data and restricts access to files. Hackers use ransomware to exploit companies by demanding a ransom to return data.
Ransomware attacks can put a halt to a company’s operations and can affect multiple industries including healthcare systems. The aftermath of a ransomware attack is difficult to resolve as an organization tries to recover the network, income, and trust of its customers.
You may think there is only a slim chance that you will become the victim of a ransomware attack, but it’s not a risk worth taking, especially if you are a healthcare organization.
Covered entities have a commitment to keep protected health information (PHI) secure and prevent unauthorized disclosure. Patients need assurance that their privacy is protected, and it’s also the law. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets out rules and regulations concerning PHI. If these rules aren’t followed, a healthcare organization can face serious penalties for violating HIPAA.
Healthcare is highly targeted by hackers
Healthcare networks have always been a target of cybercriminals because hospitals can’t fully operate and treat patients without their data. In fact, a ransomware attack led to one patient’s death in Germany. The immediate need to treat patients makes healthcare systems vulnerable and more likely to bend to hackers’ demands.
The pandemic has made the situation worse. Hackers have been taking advantage of stressed employees and unprotected networks to infiltrate their systems. The number of attacks against healthcare providers has been steadily rising; malicious emails have seen an increase of 600% due to COVID-19.
Some effects of cybercrime against the healthcare industry in the last year include:
- The largest ransom ever paid was made by an insurance company at $40 million
- Ransomware attacks were responsible for 50% of all healthcare data breaches
- Over 1 million people every month had their data exposed because of data breaches
Ultimately, the recovery process from a ransomware attack is costly and time-consuming. It’s much more affordable and less stressful to implement strong ransomware protection.
Ransomware has caught the attention of the federal government
Ransomware attacks have caused such widespread disruption that the US government has taken action. The Justice Department recently formed a new task force to address the rise in ransomware attacks. The FBI is also investigating some ransomware attacks against healthcare providers.
The US government also recently launched StopRansomware.gov to aid organizations in mitigating their ransomware risk. The one-stop hub provides recommendations and tools for organizations to understand ransomware and protect their networks.
Federal government intervention is needed because ransomware attacks can cause international issues. Kaseya VSA, a remote monitoring and management software company, recently suffered a ransomware attack in June. It has affected over 1,000 companies in 17 countries, and Kaseya recommended completely disabling its own software to protect networks.
It’s a stark reminder that even if you are not strictly a healthcare organization, business associates also need to take care to protect PHI.
How does stolen data affect health systems?
When more than 500 individuals’ PHI is viewed, stolen, or otherwise compromised, a healthcare organization needs to notify the US Department of Health and Human Services (HHS). You may also need to notify affected patients and possibly the media.
HHS may conduct an investigation about the data breach, and you could face large HIPAA fines and monitoring by the HHS for several years.
After stealing data via a successful ransomware attack, most, if not all, hackers demand a ransom to return data and not sell PHI on the black market. While some organizations pay the ransom, others don’t and risk double extortion. This was the case for Wolfe Eye Clinic. It rejected paying a ransom and opted to recover data using backups, but there is still a risk of hackers selling PHI.
Even if you can fend off hackers, a healthcare organization can still violate HIPAA guidelines. Brandywine Urology was able to block hackers from accessing its electronic medical record system, but over 131,000 patients still had their sensitive data exposed.
Ransomware attacks are costly
A healthcare organization may view cybersecurity as an expense, but it is nothing compared to what you could lose in the event of a data breach.
Even if you can avoid paying a ransom, there is still a HIPAA investigation that could lead to heavy fines for not carrying out the appropriate safeguards to protect PHI. You may also be subject to a corrective action plan that is costly to implement.
Patients also may sue for having their information exposed. They can file lawsuits for negligence or breach of implied contract. This was the case for a US fertility clinic that had patient data earlier this year.
Protecting patient data is a non-negotiable
Don’t make the mistake of thinking cyberattacks can’t or won’t target your organization. It’s a costly error that leads to several problems.
Take a look at Scripps Health. A ransomware attack left Scripps unable to access its networks for a month. Patient portals, email accounts, and even the company website suffered extreme downtime. Scripps is now being investigated by the federal government, and patients have sued the company for not protecting their sensitive data.
Taking proactive action and implementing robust ransomware protection will save your healthcare organization a huge headache and potentially millions of dollars. Don’t hesitate to make cybersecurity a priority.