Tuesday, May 31, 2016
Ransomware Attacks Put Hospitals on Alert
Posted by Bill Brause, CPA
In the past few months, more than a dozen hospitals nationwide have had to fight a different kind of cybersecurity threat.
Hollywood Presbyterian Medical Center in Los Angeles was one of the first to be hit. In February, staffers there found themselves locked out of their computer files, unable to access patient medical records. They were victims in a recent surge of “ransomware” attacks on healthcare facilities.
Ransomware is a type of malicious software that criminals use to block victims from their computer systems or data. Instead of trying to steal medical records or other information to sell, the hackers want a ransom for restoring access to it―usually in bitcoins, a virtually untraceable digital currency. Victims will typically see a pop-up that says the file or system has been encrypted or locked, and they must pay for an encryption key or to have the system unlocked. Sometimes the hackers even include instructions on how to use bitcoins.
The software generally is spread via infected websites, or by phishing emails that have attachments that look like bills or invoices. In some cases, criminals get into a network via a vulnerable server. Experts say that educating employees about the dangers of ransomware and how not to fall prey to it is one of the main ways a healthcare organization can help prevent an attack.
Ransomware isn’t new, but it has become more widespread and more sophisticated in the last year, according to the FBI. And lately, hospitals have become a prime target. In late March, federal cyberterrorism agencies in the U.S. and Canada took the unusual step of issuing a joint alert about ransomware to healthcare providers and other organizations.
Hospitals are particularly vulnerable, because the potential impact on their patients makes them more likely to meet criminals’ demands. An attack can delay lab test results, cause appointments and surgeries to be rescheduled, and force the facility to divert patients elsewhere, for example. Many hospitals also are an easy target because they’ve focused their IT efforts on things like HIPAA compliance and electronic medical records, and not on cybersecurity.
After spending more than a week offline, Hollywood Presbyterian paid a ransom of 40 bitcoins, worth about $17,000. The hospital president said they did so because it was the quickest and most efficient way to restore their systems and administrative functions. Companies and individuals in the U.S. paid more than $24 million to ransomware attackers in 2015, according to the FBI.
Some victims choose to ignore the ransom demand. When MedStar Health’s computer network was attacked in late March, the Maryland-based hospital group quickly shut down its remaining systems and switched to paper documentation and other backup measures, while its IT team and outside cybersecurity experts worked to analyze and fix the damage. Within five days, they were able to get almost 90% of their systems back online.
Whether the ransom is paid or not, the attacks can cost organizations dearly. Hospitals will often need to hire incident-response experts, for example, and their staff will have to spend valuable time updating electronic patient records when their computer systems are back online. Christiaan Beek, who leads Intel Security’s advanced threat research, estimates that hospital costs for a ransomware incident can easily total between $700,000 and $1.5 million, depending on the size of the hospital, the scope of the damage, and whether backups were available.
Data backups are critical because experts say that other than paying ransom, there is generally no way to access locked systems and files. So you need to back up your information and verify the integrity of those backups on a regular basis. You also have to make sure your backups aren’t connected to the computers and networks they are copying the data from.
Here are some other tips from the FBI on how to help prevent a ransomware attack and minimize the disruption to your business if one does occur.
Bill is the partner-in-charge of Armanino’s healthcare practice and has more than 17 years of experience providing services to healthcare clients. Prior to that, Bill was an internal auditor for Blue Shield of California, where he performed audits of healthcare related entities including medical groups, assisted living facilities and several nonprofit entities working within the healthcare industry. Bill also performs feasibility analysis for hospital construction projects, as well as acts as internal auditor for several hospitals