June 7, 2017

The Ransomware Crisis, Part II: Hospitals Under Attack

By

EDITOR'S NOTE: Edward Roche, in association with RACmonitor, is writing a series on the need for healthcare facilities in the U.S. to protect themselves from cybercriminals demanding ransom for patient records. This is the second piece in a series of reports on the ransomware crisis.

Hospitals are under attack, as the world is now witnessing one of the most significant ransomware waves in history. In the U.S., the Department of Homeland Security and Federal Bureau of Investigation are on alert, but they respond only after the fact.

Hospitals risk having all of their electronic medical records (EMRs) encrypted. In order to get the electronic “key” to unlock the data, a ransom must be paid.

Healthcare in the United States is a very important part of the economy. Annual spending amounts to more than $11,000 per citizen, and healthcare accounts for around one-fifth (20 percent) of the GDP. Since the size of the U.S. economy is around $18 trillion, this means that healthcare spending is around $3.6 trillion. In other words, U.S. spending on healthcare alone amounts to more than the entire GDP of every country in the world except the U.S., China, and Japan.

Even though healthcare represents a large part of the U.S. economy, spending on cyber-security is less than 10 percent of the overall security budget. The healthcare sector is under-investing in security, and so the ransomware sharks smell blood in the water.

Preparing for a Ransomware Attack

There are three principal areas hospitals need to focus on in order to prepare for a ransomware attack. These include the following:

  • Technology
  • Operations
  • Legal and Regulatory


Technology

The technology side of prevention is well-known. The ICT department is in charge of protecting computing infrastructure. This includes vetting personnel, maintaining proper access, control, and security, and also keeping the system up to date by installing “patches” regularly released by software vendors. In addition, the ICT department must maintain contract with vetted security vendors that provide important services such as firewall protection as well as backup and disaster recovery.

Operations

The operations side is more difficult to master. This entails having in place an understood set of policies and procedures that ensure proper computer security and control over access to information. 

Continuous training and awareness-raising efforts with all participants in the hospital community that come into contact with the information system is required. In practical terms, this means everyone. But operations does not involve only training. It also involves “fire drills” and “rehearsals” so that everyone knows exactly what to do if disaster strikes.

What if the entire information system goes down? How can hospitals revert to manual, paper-based record-keeping, if necessary? Capacity-building for hospitals also involves documenting all of the standard operating procedures that will guarantee the quality response that is needed.

Finally, hospitals must constantly benchmark and measure their operations to know at all times how well their important work is being carried out. Metrics are crucial.

Legal and Regulatory

All hospitals are familiar with the rigid and comprehensive rules governing privacy of name-linked data. This patient data must never be allowed to leak out, and must be permanently saved in a way that ensures its security is never threatened.

As we all know, severe penalties can strike should a hospital fail in its privacy obligations. But preparing for a ransomware attack goes well beyond the procedures necessary to keep patient data private. Instead, what we need to be concerned about is what happens after a ransomware attack already has taken place. There are a number of legal issues that many hospitals are not prepared to handle.

First, there are a number of notification requirements that must be adhered to. Every single patient whose records have been accessed must be identified and sent a letter explaining the situation. Failure to perform proper notification can result in large fines.

Second, it is crucial that the hospital knows how to preserve evidence needed to allow investigators to pinpoint the identity of the attacker. There must be a sufficient forensic cyber record on hand to make a prosecution stick.

Third, there needs to be an emergency financial procedure in place so that funds can be paid out quickly. It may be useful to have a contingency fund in place.

Fourth, the hospital must be prepared to handle any tort negligence liability from disgruntled patients or others who wish to extract their pound of flesh.

In the end, hospitals must realize that not only is it necessary to take every possible security measure to ensure that information systems are not compromised, but also to have in place documented and rehearsed procedures that are understood well by all principal persons who are ready to put them immediately into play. 

Edward Roche, PhD, JD

Edward Roche is the director of scientific intelligence for Barraclough NY, LLC. Mr. Roche is also a member of the California Bar. Prior to his career in health law, he served as the chief research officer of the Gartner Group, a leading ICT advisory firm. He was chief scientist of the Concours Group, both leading IT consulting and research organizations. Mr. Roche is a member of the RACmonitor editorial board as an investigative reporter and is a popular panelist on Monitor Mondays.

This email address is being protected from spambots. You need JavaScript enabled to view it.

Related Articles