My colleague recently attended a HIMSS CIO Roundtable in Dallas, Texas. The roundtable featured four CIOs from hospitals and healthcare companies, with discussion focused around the top concerns and challenges facing healthcare institutions today. When my coworker returned and shared a recap of the panel, I was surprised to hear that much of the discussion focused on ransomware as a top threat facing healthcare institutions.
Of course, it shouldn’t be surprising that healthcare CIOs would name ransomware as a major threat. High profile ransomware attacks on healthcare organizations have been well-documented over the past few years. The issue seemed to reach a boiling point in 2016, which saw the extortion of $17,000 from Hollywood Presbyterian Medical Center followed by infections at the Los Angeles County Department of Health Services, Ottawa Hospital, Methodist Hospital, Chino Valley Medical Center, and Desert Valley Hospital. Ransomware infections became so widespread in healthcare last year that they even prompted the Department of Health and Human Services to update the HIPAA regulation to require companies to report ransomware infections impacting electronic patient health information (ePHI) as data breaches.
And ransomware attacks targeting healthcare organizations haven’t stopped. A year after 2016’s rash of ransomware attacks in the healthcare sector we’ve just seen another string of infections at similar targets, this time using a one-two punch of ransomware infections combined with exposure of sensitive data. March 20 brought the news that information on almost 18,000 patients of Metropolitan Urology has been exposed in a ransomware attack. The data exposed included names, patient account numbers, and information on providers and medical procedures for individuals who were patients of the clinic between 2003 and 2010. Just over a week later, on March 28, another ransomware attack hit Urology Austin, exposing personal information on up to 200,000 patients in the process. The information exposed in that attack included patients’ names, addresses, birth dates, Social Security numbers, and medical data.
Victims were able to restore operations without paying ransoms in many of these incidents, but that doesn’t mean they passed without causing harm – in the case of Methodist Hospital, web-based services and electronic communications were down for five days while the hospital worked to restore systems. That kind of downtime and the restoration work required can be even more costly than ransoms themselves, as noted by John Pirc of SecureWorks in our latest podcast. And because these incidents are now reportable under HIPAA’s increasingly stringent guidelines, the damage done can extend well beyond ransoms or recovery and into hefty HIPAA fine territory. Those fines can reach up to $5.55 million, as was the case with Advocate Health Systems last year.
What ultimately surprises me is that ransomware is still succeeding in healthcare and beyond. For over a decade ransomware has been used to extort millions from businesses, and healthcare is certainly amongst the hardest hit industries. According to the healthcare CIOs who participated in the HIMSS Roundtable, these attacks have led to high pressure from corporate boards – board-level conversations regarding information security initiatives aren’t exactly commonplace, so clearly some progress has been made in terms of awareness of the threat. But why does it remain a damaging problem, particularly for healthcare?
The defenses against ransomware are well known, and most amount to basic information security best practices – keeping software up to date, backing up data frequently and to an off-network location, and educating users on the common techniques used to distribute ransomware (such as phishing attacks, drive-by downloads, etc.). There’s a chance that some of these victims, like many enterprises, have covered the basics of ransomware protection – so what else can be done to protect against ransomware?
The four CIOs featured in the panel seem to be taking the threat of ransomware very seriously – perhaps a positive side effect of the increased pressure on from their boards concerning ransomware protection. They offered some sapient advice beyond the fundamental “backup, update, and educate” tips, emphasizing the importance of taking a multi-layered approach to ransomware defense that includes implementing technologies and processes for early detection and response, leveraging threat intelligence to keep up with current attacks, and focusing on data protection to ensure that data is secured against loss or exposure even in the event of a ransomware infection. Companies who take the ransomware threat seriously would be wise to do the same.