Typically, when hospitals declare emergencies, it’s for incoming patients—not their own internal computer systems. But, in March 2016, Methodist Hospital in Henderson, Kentucky, declared an emergency.
After being hit by a ransomware infection, the hospital placed a scrolling red alert on its homepage stating: “Methodist Hospital is currently working in an Internal State of Emergency due to a Computer Virus that has limited our use of electronic web-based services. We are currently working to resolve this issue. Until then we will have limited access to web-based services and electronic communications.”
Rash of Ransomware Attacks Hits Hospitals
In the same week, servers for Chino Valley Medical Center and Desert Valley Hospital, both in California, were attacked. Also in March, MedStar Health in Washington, D.C., was attacked—causing the hospital to turn away patients. And, in February, Hollywood Presbyterian Medical Center in Los Angeles was attacked.
Ransomware is a strain of malware that encrypts data on infected machines. Typically, hackers ask users to pay ransoms in hard-to-trace digital currencies to receive an electronic key that gives them access to their data. Victims of these attacks can regain access to their files only by either paying the ransom or by restoring their systems from a backup, if they have one.
Balancing Patient Care and Cybersecurity
Those incidents and other cyber-attacks targeting health care have forced many hospitals to triage cybersecurity to emergency status—especially considering the sensitive patient information that’s at risk of a cyber breach. While no patient data was compromised at the hospitals cited above, it’s only a matter of time before the hackers decide to steal patient data.
Part of the reason is that health care data is rich in personal information—data that is currently getting the highest rates on the cyber marketplace, called “dark web.” As a result, medical organizations are on high alert—striving to balance patient care with cybersecurity. The doctors and nurses at Cambridge Health Alliance in Boston, worry about patient data security when they input data into their electronic health records systems.
“It’s one of our main concerns, and it certainly has risen,” said Dr. Brian Herrick, chief medical information officer at Cambridge Health. “You have the patient interaction, you have the computer, you have security and you’re actually trying to think clinically about what to do next.”
Furthering worries about ransomware is the constant influx of new versions. For example, two new strains appeared on the scene just this year:
- CrySis – Called the “number one prevalent” new ransomware by Healthcare IT News, it searches for certain file extensions, then locks them down with a .Crysis extension. This strain also pulls encrypted files from the network, including admin privileges, resulting in a data breach.
- SAMSAM – Installed through exploited unpatched JBoss server vulnerabilities, this ransomware strain targets entire enterprises, so attackers can demand higher ransoms.
Escalating Security Actions
Striving to make security seamless, the Cambridge medical network has adopted several new security strategies including:
- Replacing Passwords. The medical center has replaced passwords with fingerprints for user authentication.
- Training Staff. To help reduce the impact of bogus “phishing” emails, the IT security department trains the staff about these attacks. It then tests them by regularly sending out phishing-style emails.
- Testing Managers. Cambridge now executes surprise security drills to test managers’ responses. “We have an outside facilitator who comes in and says, ‘Here is your scenario. Now, go through it utilizing your policy, your procedures, and everything else,’” Arthur Ream, chief information security officer at Cambridge, explained.
Other proactive security steps hospitals can take to protect their systems and data are triaging risk, continuous monitoring, and reviewing progress:
- Triage Risk. A risk analysis is a systematic, rigorous process used to identify all of the possible ways in which the confidentiality, integrity or availability of any sensitive information (like patients’ personal data) may be compromised. The main deliverable from a risk analysis is a risk rating report that prioritizes an organization’s potential security issues.
- Monitor Continuously. Continuous risk management is a critical piece of the security process. It addresses multiple aspects of a security program, for example, identifying when updates are needed.
- Review Progress. Organizations need to track and monitor security, for example, the use and disclosure of patients’ personal data. A review program includes regular reviews of procedures, tracking disclosures, and verifying all issues were addressed correctly.
While it’s critical for medical facilities to embrace health care technology to improve patient care, they must also focus on securing their patients’ PHI from cyber criminals. With dependable security measures in place, protecting systems and data, doctors and other health care workers can keep their attention focused where it needs to be—on delivering high-quality patient care.
We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.