Cyberattack Targets Healthcare and Succeeds

Posted on 22 May, 2017 |comments_icon 4|By Jeff G Lawson

National Health Service hospitals in the UK forced to cancel outpatient appointments after WannaCry ransoms files

It makes you wanna cry—the ransomware attack that raged to endemic proportions from one unpatched Windows computer to another faster than any biological agent possibly could (infecting more than 300,000 Windows computers in more than 150 countries at last count).

We won’t soon forget the Wanna Decryptor ransomware—also known as WCrypt, WCry, WanaCrypt0r 2.0, and WannaCry—nor should we.

In addition to forcing universities, manufacturers, and government agencies to shut down their networks, it paralyzed several of the U.K.’s biggest hospitals and medical practices. Vital services came to a halt because the organizations infected by WannaCry were unable to access patient files.

U.S. Senator Ben Sasse, a member of the Senate Armed Services Committee, issued the following statement:

This is big: around the world, doctors and nurses are scrambling to treat patients without their digital records or prescription dosages, ambulances are being rerouted, and millions of people’s data is potentially exposed. Cybersecurity isn’t a hypothetical problem – today shows it can be life or death. We’ll likely look back at this as a watershed moment.

The May 12th attack, which isn’t entirely over, emphasizes the vulnerability of institutions on which we depend. Power plants, oil companies, financial firms, hospitals and medical practices—these translate into warmth, food, health, life itself.

Cyber Threat Is Now

Cyber attackers hit healthcare hard in 2015 and 2016—to an estimated tune of $305 billion in cumulative lifetime revenue, according to attorney Valerie Montague of Nixon Peabody in Chicago, who presented at the American Health Lawyers Association Physicians and Hospitals Law Institute in 2017. WannaCry is merely the latest in a series of breath-catching cyberattacks that should serve as a wake-up call.

For healthcare organizations, cybersecurity has never been more urgent.

Why do cyber attackers target healthcare? It’s a “perfect storm,” says Montague.

Perfect storm factor #1: Healthcare systems are much less secure than other systems that hold valuable information about individuals, such as banks. Data sets in EMRs and EHRs are rich and comprehensive, a veritable “one-stop shop,” says attorney Katie Kenney of Polsinelli in Chicago, also an AHLA presenter.

Perfect storm factor #2: The criminal underground seeks out of healthcare information—PHI yields ten times more in underground markets than bank data does, experts say. But what are they, exactly, and how can you protect your practice from this rapidly growing HIPAA security threat?

In fact, today, healthcare data is 10x more valuable to hackers than banking data, and a data breach can cost practices up to $50,000 in fees per patient record, according to Eye Care Leaders cybersecurity expert Eduardo Martinez in a forum post.

Ransomware 101

Data-for-ransom is the latest fad in the hacking world. Ransomware hackers breach servers and encrypt files containing documents and PHI, then demand a ransom in exchange for the remedy needed to decrypt the files.

Cybercriminals prefer ransomware attacks because it gives them the opportunity to make quick cash, reports Ed Cabrera—an information security expert who worked with the Secret Service for 20 years before becoming Chief Cybersecurity Officer at Trend Micro in Irving, Texas. Once they’ve stalled normal operations, they demand the provider pay a ransom to unencrypt the PHI—usually in untraceable currency like bitcoin.

Many ransomware attacks come out of Russia, which has become an “incubator” for all kinds of cybercriminal “startups,” Cabrera says. An elite group of technically capable criminals have developed models for “crime as a service.” They cater to less technically capable criminals, offering get-now-pay-later programs. The attackers pay their IT teams only after they’ve successfully collected the ransoms. This arrangement has allowed ransomware operations to scale very quickly.

Cyber attackers don’t restrict themselves to large insurers and healthcare systems. “We don’t see cyber attackers discriminating,” says Kenney. They don’t seem to be targeting one type of provider, and they are going after smaller organizations too.

Sometimes these hackers pose as the FBI or other law enforcement officials and claim that the ransom is a fine for failure to pass some kind of regulation and that failure to pay will result in prosecution. New forms of ransomware encrypt files of website operators, threatening not only their files containing stored data, but the very files needed to operate their web sites. Other ransomware variants now target files on mobile devices. The highly sensitive nature of PHI has led to healthcare providers being primary targets.

Consider two of many recent examples:

  1. In February 2016, Hollywood Presbyterian Medical Center computer systems were held for ransom and were not released until the hospital paid 40 bitcoins, about $17,000.
  2. In May 2016, Kansas Heart Hospital EHR systems were attacked and locked by hackers. When the hospital paid the hackers’ requested ransom, the hackers demanded a second ransom to regain access to their system. Fortunately, patient data was not compromised.

What to do when ransomware attacks

Ransomware is one of the biggest current threats to health information privacy and security. In 2016, HHS’s Office of Civil Rights (OCR) finally released some much-anticipated guidance on the topic. While the new guidance is meant to help healthcare entities better understand and respond to the threat of ransomware, it also provides a serious heads up to providers that no breach of data is too small. That is, almost no breach of data is too small.

Organizations must notify affected individuals per HIPAA regulations ASAP — and then determine if patient information was acquired or viewed, the extent to which data loss was mitigated, and to whom the disclosure was made. But what does that mean exactly?

To learn more ransomware attacks and cybersecurity, pick up your copy of Cybersecurity for Physician Practices: A Practical, Step-by-Step Guide to Protect Patient & Practice Information.


Sasse Statement on Ongoing Ransomware Attacks

‘Accidental hero’ halts ransomware attack and warns: this is not over

How to attack security issues like Google and Microsoft just did

Critical systems at heart of WannaCry’s impact


Jeff G Lawson

More from this author

View More

4 thoughts on “Cyberattack Targets Healthcare and Succeeds

  1. I wish to show my affection for your generosity in support of individuals who require help on this subject. Your very own commitment to getting the solution all through became incredibly useful and have continuously helped professionals much like me to get to their ambitions. Your own insightful guide means a lot a person like me and somewhat more to my office workers. Best wishes; from each one of us.

  2. I am only commenting to make you be aware of what a fabulous discovery my daughter found studying your web page. She mastered such a lot of things, which included what it is like to possess a very effective coaching heart to get a number of people clearly learn specified tricky subject areas. You truly surpassed visitors’ expectations. I appreciate you for presenting those interesting, trustworthy, educational and also unique tips about this topic to Sandra.

  3. I just wanted to write down a brief remark in order to appreciate you for some of the amazing advice you are giving out on this site. My long internet search has at the end of the day been honored with pleasant strategies to talk about with my contacts. I ‘d repeat that most of us visitors actually are really endowed to dwell in a fine place with many special professionals with beneficial secrets. I feel very much happy to have seen your entire webpage and look forward to plenty of more brilliant times reading here. Thanks a lot again for everything.

  4. I precisely desired to appreciate you once more. I am not sure what I might have accomplished in the absence of the actual creative concepts contributed by you about that topic. This was a real alarming situation in my circumstances, but looking at a specialized avenue you treated it took me to weep with happiness. I am just happy for this support and thus expect you know what a powerful job you were providing instructing the rest by way of your webpage. More than likely you haven’t encountered any of us.

Leave a Reply

Newsletter Signup