The high profile WannaCry and Petya ransomware attacks in 2017 brought institutions—including major health systems—around the world to a screeching halt and drew attention to the rising cybersecurity threats facing healthcare.
In fact, the nonprofit ECRI Institute named ransomware and other malicious software its top health technology hazard for 2018. Hackers use these computer programs to infiltrate an organization’s network and prevent the organization from accessing its electronic medical records or online systems. The attackers then demand a ransom to stop the attack. These attacks can bring normal hospital operations to a halt causing delays in patient care that could threaten patient safety, said Juuso Leinonen, senior project engineer in the ECRI Institute’s Health Devices Group.
“This is a problem and there’s probably no hospital that’s completely immune to it,” Leinonen said.
Healthcare has become the top target for such attacks, according to a survey of 2700 Internet Technology (IT) managers by network security company Sophos. Three-quarters of healthcare institutions that responded to the survey had been victims of ransomware attacks, even though more than half had systems in place to prevent them. Across sectors, the average cost of an attack was $133,000 and affected organizations often face repeat attacks.
Vulnerable systems
Healthcare organizations often are easier targets than organizations in other industries that have worked to harden their defenses, explained James Scott, senior fellow at the nonprofit Institute for Critical Infrastructure Technology (ICIT) in Washington, DC. Hospitals may not have leaders who are well versed in cybersecurity and their frontline information technology staff may not have the right expertise and training to ward off attacks, he said.
“The nature of 24/7 patient care also makes routine IT maintenance tasks more difficult to achieve,” said Andrew Mundell, a security architect at Sophos.
Growing use of networked medical devices is another challenge, Leinonen noted. These expensive devices may have lifespans that stretch for a decade, he said. Some hospital devices may still require manual updates; others may be so old new security patches are no longer available.
“The reality is that there are thousands of medical devices in most healthcare institutions from hundreds of different vendors and potentially each one of those devices could have their own security requirements or patching requirements so that definitely makes it a significant problem and very difficult to manage,” Leinonen said.
Smaller healthcare organizations like physicians’ offices or dialysis centers may be at even greater risk, said Mundell.
“[Small organizations] are likely to have smaller IT and security teams working to combat the latest threat,” he said.
Once an organization has been compromised, they are likely to face repeated attacks, according to the Sophos report. They may be re-infected by the same malicious software if the organization fails to properly remove it from the system, Mundell said. After an organization pays a ransom, attackers may increase the number or sophistication of their attacks in the hopes of securing another ransom.
Very sophisticated hackers may use a ransomware attack as distraction, so they can establish remote access to medical records or other data that they can later extract undetected, Scott said. Patient information such as Social Security numbers, credit card numbers, or health insurance credentials can be sold to would-be identity thieves for $20-$1300 depending on how much information is offered, according to an ICIT report.
“The fact that there is a lot of sensitive data in a healthcare institution makes it inherently risky and appropriate controls need to be in place to make sure that data is protected both on your medical devices as well as in your other systems,” Leinonen said.
Data defenses
There are many steps that healthcare organizations of all sizes should be taking to protect against ransomware and other online threats. Some may require substantial time and financial resources, but experts say they are essential.
“You are investing for the future,” said Michelle De Mooy, director of the Privacy & Data Project at the Center for Democracy and Technology. “You are protecting your patients’ privacy and the integrity of your data.”
Organizations should do a risk or security audit to help them identify their vulnerabilities, De Mooy recommended. Institutions should encrypt their data and have backup systems in place, she said. They should also ensure that all employees are adequately trained to recognize potential threats, such as suspicious links in e-mails or files ending in .exe.
They should also have a complete inventory of all networked medical devices, the software they use, and records of system updates, Leinonen said. He and his ECRI colleagues frequently field questions from hospitals hit by ransomware attacks about which devices may be vulnerable. Too often these facilities don’t have the information they need to quickly identify devices at risk.
“Knowing what you have is almost a requirement to protecting them effectively,” he said.
They should consider security when they purchase new medical devices, Leinonen said. These decisions should be made with input from frontline medical staff, IT staff, and the Chief Information Officer.
Facilities should aim to have a multi-layered defense against attacks, Scott said, so that attackers “give up and move on.” He emphasized the importance of investing in qualified IT staff and hiring an in-house or outsourced threat-hunting team that can proactively test for weaknesses, seek out hackers in the system, and patch vulnerabilities.
Leinonen emphasized the need to adequately budget for data and systems security in order to preserve smooth operations.
“The reality today is that things are going to get more and more connected and this is going to be more of a significant concern as time goes on,” he said. “This is not solely an IT problem, this is something where anybody, everybody from C-Suite to frontend clinicians can and should have a role to positively contribute overall to managing the security risks that may exist within the organization.”
