A cyberattack that may have involved ransomware in March on MedStar Health, a 10-hospital system serving Maryland and the Washington, D.C area, forced the hospital to shut down several of its systems to avoid the spread of the malware. This attack followed ransomware attacks on Methodist Hospital in Kentucky, two California hospitals and Ottawa Hospital in Canada. In addition to those attacks, Hollywood Presbyterian Medical Center in California announced in February that it paid extortionists a $17,000 bitcoin ransom to unlock its data.
The recent surge in ransomware attacks on hospitals has Congress wondering if HIPAA’s breach notification requirements need to be clarified or updated to reflect the trend. As ransomware attacks against hospitals become more frequent, it is critical for patients to know when their records are being held hostage and for the government to understand the scope of the problem.
Why health care is a prime target
Health care facilities are prime targets of cyberattacks because they are extremely vulnerable. They cannot afford to be paralyzed for a long time—either because data has been encrypted or because they shut down the system to avoid spreading the infection—and prefer to pay the ransom. As hospitals have become dependent on electronic systems to coordinate care, communicate critical health data and avoid medication errors, patients’ well-being may also be at stake when hackers strike.
Caring for sick people has now grown to mean that health care facilities must also protect their patient medical records and technology systems against hackers. health care is an easy target: Its security systems tend to be less mature than those of other industries, such as banking and tech, and its doctors and nurses depend on data to perform time-sensitive, life-saving work.
What growing cyberattacks mean for the industry
Security experts say the recent ransomware attacks on hospitals spotlight how attractive healthcare organizations are to cybercriminals and how vulnerable many of those entities are to cyberthreats. That leaves hospitals with two challenges: designing systems that can resist attack and training employees.
Several bills are making their way through congress to address the situation, and they’re endorsed by HITRUST — theHealth Information Trust Alliance:
“These bills effectively do two things,” HITRUST said in a statement. “First, they formalize the process for information sharing and encourage private entities to share amongst themselves and with the government. And second, they provide legal certainty that companies sharing that information have safe harbor against frivolous lawsuits when voluntarily sharing and receiving threat indicators and defensive measures in real-time and taking actions to mitigate cyberattacks.”
In the meantime, health care facilities should be taking steps to develop and execute a plan for an end user awareness programs, review and validate server backup processes, evaluate malware protection and more. It is important to raise awareness about healthcare information security and implement (and enforce) new rules to keep healthcare staff from making security mistakes.