When we picture disaster, we think of a storm. We imagine downed power lines, ice-cold heaters, and flooded rooms. In our minds, devastation and danger comes in the dramatic wake of blinding rain and hurricane winds; we never imagine that it could creep in on a cheerfully sunny day, invited in with the click of a seemingly innocuous email. The attacks start quietly: a nurse responds to a sketchy message; a doctor clicks on a link that he should have avoided. This well-meaning interest sparks an invasive chain of intrusions which culminate in the forced encryption of countless patient records and hospital data, leaving an unprepared institution at the mercy of the attacking hackers. At this point, the hackers themselves make a virtual appearance and offer to de-encrypt the data – with one caveat. They want the hospital t0 compensate them for their efforts. Helpless, the medical center is left with two options: to pay up and hope that the data is de-encrypted as promised, or to refuse, and hope that they can recover from the loss.
For most businesses, a ransomware attack like the one described above is damaging. It negatively impacts productivity, puts valuable corporate data at risk, diminishes client trust, and creates a financial drain as restoration efforts carry on. But for medical centers, cybersecurity breaches don’t just pose a risk to the institutions resources or finances, but to the patients they treat. When hackers encrypt medical center data, they lock providers out of the information they need to treat patients and communicate with other medical professionals, thereby leaving caregivers without the information they need to provide effective care. Lives are quite literally on the line during these hacks – and not just for those in the hospital on the day of the attack.
Data encryption may be a dangerous and immediate inconvenience for doctors, but the real threat lies in the long-term risk of exposure. When hackers break into a hospital’s system, they claim control of its patients’ Electronic Health Records. These digital records contain all of the information typically found in a standard clinical history and far more: with details on past residences, family members, demographic data, employment history, and billing information, EHRs are a potential gold mine for identity thieves and hackers who want to make a profit on the black market. For some patients, a ransomware attack that last for a few hours can turn into an identity fraud struggle that haunts them for years. Worst of all, some projections suggest that ransomware attacks on medical centers will quadruple by 2020.
The reason for this targeting is as simple as it is despicable: hospitals need their data to save patients and lack the technology needed fight back against cyber attacks. This desperation for recovery can make paying ransom seem like the only option, as Hollywood Presbyterian Medical Center infamously found in early 2016. During this hack, cybercriminals encrypted the hospital’s EHR and held it hostage, demanding $17,000 in payment. The center paid for the return of its data and later released a statement announcing that the hackers did not access or circulate the stolen information after encryption. HPMC recovered its data – but their well-publicized payment may have contributed to the problem in the long term. After the raid, cyber criminals had definitive proof that holding medical data for ransom was a lucrative gamble. According to the results of recent survey of 300 healthcare professionals across the U.S. and U.K., 26% of participants “reported that their organization would be willing to pay a ransom in the event of a cyber attack. Of these […] 68 percent of U.S. healthcare IT professionals have a plan in place for this situation.” These findings suggest that cybercriminals who launch their own hacks will have a ready pool of paying victims – and that a considerable percentage of those victims won’t have a plan to fall back on if disaster does strike.
But here’s the kicker: if all at-risk medical centers stopped paying ransom and had the capability to resolve their own data breaches, these same criminals wouldn’t have an opportunity for profit. The issue we face today isn’t just that hackers are holding data hostage, but also that medical centers aren’t prepared to fight back. As Elliott Frantz, CEO of Virtue Security, commented for HealthCare IT News after the HPMC hack: “For an infection to spread on this scale suggests there were larger systemic weaknesses that led to such an incident.” Right now, hospitals that run on outdated software and lack proper antivirus protection are at risk, especially if they integrate new healthcare technology without considering security measures. As one study on cybersecurity in healthcare put it: “11 percent of US healthcare IT professionals don’t believe that their current security policy for newly connected devices is effective. This could suggest that hospitals and health centers are rapidly adopting new connected devices without due care and attention towards security policies.”
Technology presents near-boundless potential for innovation and access in healthcare. In the decade to come, patient care and experience will likely develop in ways we can’t even imagine today. But our quest for advancement can’t come at the expense of our patients’ safety. Positive change comes paired with increased risk of intrusion by cyber criminals and other morally bankrupt players – and as a result, our approach to needs to be marked by careful strides, rather than impulsive leaps. Medical centers need to step into a position where their best practices allow them to say “no” to would-be ransomers. They need to better train staff members on how to detect and respond to potentially damaging messages, update their systems to the most cutting-edge security programs, and regularly back up data so it can be readily recovered even after system encryption. Cyber criminals are a storm we can see coming. Once we build walls and policies strong enough to hold them out, they will dissipate like so much rain on pavement.