How patient safety is being hampered by rampant ransomware attacks
Before you finish this article 15 ransomware attacks will occur. That’s almost one every 11 seconds! Our nation’s healthcare system is the primary target. These attacks are devastating, and many hospitals are experiencing attacks or attempted attacks from emerging ransomware. For example:
- The University Medical Center of Southern Nevada suffered a ransomware attack during the summer of 2021 that affected 1.3M individual’s data, including PHI. Analysts pointed to REvil, a Russia-linked ransomware group, as the culprit.
- In August, Ohio’s Memorial Health System experienced a Hive ransomware attack after an unauthorized third party gained access to Memorial’s network four months earlier without detection. With Hive ransomware, actors steal the data and encrypt files throughout the victim’s network. The cybercriminals leave a ransom note in each affected directory within a victim’s system, which provides instructions on how to purchase the decryption software. It is estimated the attack on Memorial Health affected personal data of 200,000 patients.
- In September, The Health Sector Cybersecurity Coordination Center (HC3) released a threat brief on BlackMatter ransomware, a Russian hacking group believed to be a reconstructed version of DarkSide. They recently attacked NEW Cooperative Inc. with a $5.9M payment request after NEW Cooperative took their systems offline. However, BlackMatter claimed it would not target hospitals, while HC3 officials state that details are what BlackMatter claims to be and may not be accurate.
Ransomware’s threat to patient safety
When a hospital experiences a ransomware attack patients’ lives are at risk. In 2019, a ransomware attack made critical systems and information unavailable during an infant’s delivery, causing significant complications that led to the infant’s death nine months later. The mother recently filed a lawsuit, stating she would have gone to another hospital if she had known about the ransomware attack and its impact.
Criminal syndicates around the globe seek fortunes from hospitals and care centers after crippling their operations with ransomware. According to a study by the Ponemon Institute in September 2021, the sad reality is that patients suffer as:
- Length of stay increases,
- Delays in procedures and lab tests result in unfavorable outcomes,
- Diversions to other facilities delay treatment, and
- Patient mortality climbs.
Healthcare providers been ravaged with attacks, but so too have critical vendors who support healthcare. For example, Nuance, a provider of transcription services to the healthcare industry, suffered a devastating NotPetya attack that caused a staggering four-month outage and estimated revenue losses of $92 million.
Andy Greenberg further discusses NotPeyta attacks in his book, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers. He describes how during the outage, one hospital IT staffer noted that two children’s diagnostic reports were missing just before surgery. With only hours to spare, the IT staffer located the hospital’s raw archive, listened to 40 audio files, found the right one, sent it to be transcribed with only hours to spare. The following week, the same IT staffer found two more cases, each time with only a day or two to spare before a major treatment. In one case, a doctor had to manually retype a child’s dictation after reexamining the ultrasound of a child’s heart.
A New England Journal of Medicine study says even a traffic delay of fewer than five minutes in an ambulance causes patients to die four percent more often in hospitals over the following 30 days. In many cases, time matters. Mortality is affected. Likewise, it’s common for hospitals to divert patients to a facility more than five minutes further away when arriving by ambulance during a ransomware attack, which can be fatal.
Healthcare is a prime target for ransomware attacks
The U.S. healthcare system is particularly vulnerable to ransomware attacks due to several factors:
1. Outdated and vulnerable IT infrastructure and operating systems
Forescout reported, “53 percent of common medical devices are still operating on traditional, legacy platforms, which poses a patient safety risk.” Outdated operating systems that are no longer serviced, such as Microsoft 7 and Windows Server 2008, are very commonly used by healthcare.
2. Data sprawl and a lack of accurate, up-to-date data maps and inventories
Healthcare consumerization continues to accelerate in the post-pandemic world, increasing the demands for data liquidity, or the need for health data flow and access. Key drivers include virtual care, acceleration of interoperability standards, realities of the digital front door, and rise of retail health providers.
Additionally, the unpredictable data flow into the cloud adds new challenges, such as automated scalability. This quickly leaves the privacy officer with limited information about data lifecycle, including who can access it and where it is transmitted.
3. The perception that healthcare pays the ransom faster than other industries
Cybercriminals realize how quickly the healthcare industry needs to recover from a cyberattack and try to use this to their advantage to generate ransom payments. They want their payments fast, widening the target on healthcare’s back. In addition to being vulnerable, the healthcare sector is motivated to recover from an attack as quickly as possible. But due to antiquated IT systems, many healthcare organizations cannot recover well at all. So, bad actors attack healthcare believing they will receive ransom payments faster than they would with other industries.
4. Lack of in-depth cybersecurity training and awareness
Traditionally, healthcare hasn’t focused on cybersecurity in general, but rather focused on HIPAA compliance to ensure staff meet federal requirements for protecting patient privacy. This is a check-the-box approach that leaves a gap in the organization’s cybersecurity awareness. Bad actors will continue to capitalize on phishing email schemes if employees aren’t trained on how to identify spoofed emails.
The cybersecurity skills gap combined with the abundance of attempted ransomware attacks is a recipe for disaster. A recent study reported, “37% of healthcare IT decision makers say their organization is at risk of security threats due to skills gaps.” It also reported that nearly 40% have a skills gap in data protection and more than half of those (21%) are not following proper data protection procedures.
There is a lot of discussion on how ransomware costs healthcare billions of dollars and not enough discussion on how it impacts the patient’s safety. To protect the patient, it is necessary to prepare your organization to respond when an attack occurs rather than if an attack occurs. Start by isolating your backups from your networks and making sure you have an environment in which to restore your systems. And always practice quality IT operational hygiene, including necessary system upgrades and patches. Finally, at all levels of the organization, address the cybersecurity skills gap so that healthcare can be better armed to protect their data and patients from a ransomware attack.
Photo: JuSun, Getty Images