National Health Service hospitals in the UK forced to cancel outpatient appointments after WannaCry ransoms files
It makes you wanna cry—the ransomware attack that raged to endemic proportions from one unpatched Windows computer to another faster than any biological agent possibly could (infecting more than 300,000 Windows computers in more than 150 countries at last count).
We won’t soon forget the Wanna Decryptor ransomware—also known as WCrypt, WCry, WanaCrypt0r 2.0, and WannaCry—nor should we.
In addition to forcing universities, manufacturers, and government agencies to shut down their networks, it paralyzed several of the U.K.’s biggest hospitals and medical practices. Vital services came to a halt because the organizations infected by WannaCry were unable to access patient files.
U.S. Senator Ben Sasse, a member of the Senate Armed Services Committee, issued the following statement:
“This is big: around the world, doctors and nurses are scrambling to treat patients without their digital records or prescription dosages, ambulances are being rerouted, and millions of people’s data is potentially exposed. Cybersecurity isn’t a hypothetical problem – today shows it can be life or death. We’ll likely look back at this as a watershed moment.”
The May 12th attack, which isn’t entirely over, emphasizes the vulnerability of institutions on which we depend. Power plants, oil companies, financial firms, hospitals and medical practices—these translate into warmth, food, health, life itself.
Cyber Threat Is Now
Cyber attackers hit healthcare hard in 2015 and 2016—to an estimated tune of $305 billion in cumulative lifetime revenue, according to attorney Valerie Montague of Nixon Peabody in Chicago, who presented at the American Health Lawyers Association Physicians and Hospitals Law Institute in 2017. WannaCry is merely the latest in a series of breath-catching cyberattacks that should serve as a wake-up call.
For healthcare organizations, cybersecurity has never been more urgent.
Why do cyber attackers target healthcare? It’s a “perfect storm,” says Montague.
Perfect storm factor #1: Healthcare systems are much less secure than other systems that hold valuable information about individuals, such as banks. Data sets in EMRs and EHRs are rich and comprehensive, a veritable “one-stop shop,” says attorney Katie Kenney of Polsinelli in Chicago, also an AHLA presenter.
Perfect storm factor #2: The criminal underground seeks out of healthcare information—PHI yields ten times more in underground markets than bank data does, experts say. But what are they, exactly, and how can you protect your practice from this rapidly growing HIPAA security threat?
In fact, today, healthcare data is 10x more valuable to hackers than banking data, and a data breach can cost practices up to $50,000 in fees per patient record, according to Eye Care Leaders cybersecurity expert Eduardo Martinez in a forum post.
Data-for-ransom is the latest fad in the hacking world. Ransomware hackers breach servers and encrypt files containing documents and PHI, then demand a ransom in exchange for the remedy needed to decrypt the files.
Cybercriminals prefer ransomware attacks because it gives them the opportunity to make quick cash, reports Ed Cabrera—an information security expert who worked with the Secret Service for 20 years before becoming Chief Cybersecurity Officer at Trend Micro in Irving, Texas. Once they’ve stalled normal operations, they demand the provider pay a ransom to unencrypt the PHI—usually in untraceable currency like bitcoin.
Many ransomware attacks come out of Russia, which has become an “incubator” for all kinds of cybercriminal “startups,” Cabrera says. An elite group of technically capable criminals have developed models for “crime as a service.” They cater to less technically capable criminals, offering get-now-pay-later programs. The attackers pay their IT teams only after they’ve successfully collected the ransoms. This arrangement has allowed ransomware operations to scale very quickly.
Cyber attackers don’t restrict themselves to large insurers and healthcare systems. “We don’t see cyber attackers discriminating,” says Kenney. They don’t seem to be targeting one type of provider, and they are going after smaller organizations too.
Sometimes these hackers pose as the FBI or other law enforcement officials and claim that the ransom is a fine for failure to pass some kind of regulation and that failure to pay will result in prosecution. New forms of ransomware encrypt files of website operators, threatening not only their files containing stored data, but the very files needed to operate their web sites. Other ransomware variants now target files on mobile devices. The highly sensitive nature of PHI has led to healthcare providers being primary targets.
Consider two of many recent examples:
What to do when ransomware attacks
Ransomware is one of the biggest current threats to health information privacy and security. In 2016, HHS’s Office of Civil Rights (OCR) finally released some much-anticipated guidance on the topic. While the new guidance is meant to help healthcare entities better understand and respond to the threat of ransomware, it also provides a serious heads up to providers that no breach of data is too small. That is, almost no breach of data is too small.
Organizations must notify affected individuals per HIPAA regulations ASAP — and then determine if patient information was acquired or viewed, the extent to which data loss was mitigated, and to whom the disclosure was made. But what does that mean exactly?
To learn more ransomware attacks and cybersecurity, pick up your copy of Cybersecurity for Physician Practices: A Practical, Step-by-Step Guide to Protect Patient & Practice Information.