Imagine you are a patient in a hospital that gets attacked by ransomware. Your medical records and other data are seized, and all users including your physicians and nurses, are denied access to them. Let’s say you are about to receive chemo, radiation, or another vital treatment.
What would you do? What can you do?
Not a whole lot, unless of course you have your own personal back up of your hospital medical records on hand. And even then the hospital may not be operable.
Think this sounds implausible? Think again. And read on.
As many as 75 percent of U.S. hospitals have been hit with ransomware in the last year. Hospitals are considered the perfect targets because they need the information on patients immediately, don’t have the necessary tools to prevent such an attack, and many haven’t taken the necessary steps to educate and train their employees on how to avoid such an attack. Many simply pay up. But not without extensive delays and having to turn patients away or evacuate patients from the healthcare facility.
This kind of cyber extortion can put patients at risk and compromise patient safety.
If this is new to you, ransomware is malicious software that seizes all data in a computer or computer network. Cybercriminals hold it for ransom until payment is made in exchange for release of the information. In a hospital, it will lock up all electronic patients’ records and other data in its computers and computer networks. The information is left completely inaccessible to medical professionals who need it for patient care. Messages are installed by cybercriminals demanding payment, usually in the form of Bitcoin, in exchange for accessibility to the seized information. Sometimes the cyber extortionists release the data after receiving the ransom payment and sometimes they don’t.
According to the FBI, “Ransomware attacks are growing in number and are becoming more sophisticated.” The FBI also reports that hacking victims in the U.S. have paid more than 209 million in ransom payments in the first three months of this year.
Malicious malware can be sent in an email to a specific person with an attachment that appears to be legitimate such as an invoice or electronic fax. Or the email can contain a legitimate looking URL which the victim clicks on and then is taken to a website that infects the computer with malicious software.
There are new cases of ransomware where cyber criminals don’t use emails at all. They seed legitimate websites with malicious code which then seizes the computer and possible other networks and back up drives.
In May of 2016 Kansas Heart Hospital was hit with ransomware and extorted twice.
In April of 2016, three Southern California hospitals, owned by Prime Healthcare Services, were attacked by ransomware. Prime Healthcare Services stated in a Los Angeles Times article that they did not pay the ransom. The FBI recommends not paying the ransom. One can understand why hospitals would pay up to get their systems and patient care running as soon as possible. There just aren’t enough tools in place for them to do much else. Some hospitals do refuse to pay the ransom and rely on back up copies of information. Still, it can take several days for them to get back to some degree of normalcy.
In March of 2016, cyber criminals attacked 10-hospital MedStar Health, located in the Maryland and District of Columbia region. The hackers encrypted the hospital chain’s computer networks so all information was frozen. The Baltimore Sun reported that the malware attacks left ten MedStar hospitals unable to access patient data and in some cases having to turn patients away.
Also in March of 2016, Methodist Hospital in Henderson, Kentucky, was crippled by ransomware and claimed to be operating in a state of internal emergency. The hospital was forced to shut down all of its computers because of the malicious malware. The message left on the affected systems via Locky malware demanded a ransom in bitcoin.
In February of 2016, the Hollywood Presbyterian Medical Center, located in Los Angeles, had their computer networks attacked by cyber criminals who demanded 17,000 in bitcoin to release patients’ records. Hollywood Presbyterian paid the ransom.
Not a cyber extortionist attack but noteworthy all the same, in July of 2015, UCLA Health was the victim of a major cyber attack. 4.5 million patients’ data was compromised which included social security numbers.
Among others, Anthem Blue Cross disclosed that 80 million customers’ data was compromised in 2015.
The list goes on.
Sen. Bob Hertzberg authored a bill in effort to make ransomware a felony. Let’s hope that passes. But I have to wonder how cyber criminals would be charged since most cyber attacks originate outside of the U.S. This is an update on a bill already passed that introduces new penalties specifically for ransomware attacks. If the update passes, cyber criminals would be fined up to $10,000 and sentenced to two, three, or four years in jail.
Seems like a paltry sum and a much-too-short jail sentence if you ask me. After all cyber extortion is basically data kidnapping that could put patients lives at risk. Under federal law extortion carries up to a 20-year sentence, depending on the circumstances. Perhaps Hertzberg’s new bill is a good start on a massive, growing problem.
Hospitals must focus on prevention of these ransomware attacks. Real time backing up of patient electronic medical records and other data is an important strategy, but it still only addresses the problems after the cyber attack has been committed. Many hospitals don’t even back up. Preparing for a ransomware attack is essential for every hospital or other healthcare facility. Many hospitals claim to have insufficient funding to pay for internal experts such as chief security officers or to enlist a solid cybersecurity company’s services.
“Educating and training all system users is crucial,” states Healthcare IT news in its article, Tips for protecting hospitals from ransomware as cyberattacks surge. “All it takes is one uneducated user.” It’s the employees in hospitals who click on phishing emails or visit corrupt websites.
It’s not just the hospitals or healthcare facilities that become victims to ransomware. Patients must be protected.
I welcome your comments.