Earlier this month, Hollywood Presbyterian Medical Center in Los Angeles paid $17,000 in bitcoin to hackers in order to unlock its electronic health records (EHRs) and other computer software, as previously reported by Healthcare Dive. Hospital employees were forced to use pen and paper to enter patient data as well as fax machines and phones to relay patient information for more than a week. This incident is one of three hospital-ransomware events in just the past six months, which points to a potential new hospital cyberattack trend.
However, the other two hospitals, Texas-based Titus Regional Medical Center and Florida-based James A. Haley Veterans’ Hospital, chose not to pay the ransom request.
Ransomware, a form of malware, does not access or steal data but instead encrypts it so users are unable to access it. Alan Stefanek, CEO and president of Hollywood Presbyterian, told NBC the attack was “random” and could have been initiated when an employee clicked on an infected email link or ad that introduced the virus into the hospital network. Once the data on a server has been encrypted, the attacker offers a “key” to unlock the user’s files for a “ransom” or price.
According to The Atlantic, the average ransom price is about $300, but most hackers know hospitals may be willing to pay much more. And, even if the ransom is paid, there is still no guarantee files won’t lock again, because the ransomware still exists on the facility’s server.
Bitcoin is hackers’ preferred currency because it’s digital and much harder to trace than other forms of money.
“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key," Stefanek said in a press release. "In the best interest of restoring normal operations, we did this."
Attempts to reach a hospital spokesperson to provide an update on the hospital’s security efforts were unsuccessful.
Hackers target hospitals’ rich data
Hospitals are data gold mines, with EHRs storing a treasure trove of patient personal data that sells for a high price on the black market - up to 20 times the price of stolen credit-card numbers, according to Dell Secure Works, a division of Dell Inc, as reported by Bloomberg.
In fact, according to the Identify Theft Resource Center (ITRC) healthcare data breaches in 2015 equaled 35.5% of all listed incidents.
“I am convinced 2016 will see more massive public and private sector take downs, hacks, and exposure of sensitive personal information like we have witnessed in years past," Adam Levin, chairman and founder of IDT911, a data security company, said in a press release.
"Malvertising and ransomware attacks will reach a fever pitch," Levin said. "Medical data and business information like intellectual property will be prime targets, with cyber thieves looking for opportunistic financial gain based on black market value, corporate extortion, and cyber terrorism.”
Experian’s 2015 Annual Data Breach Report estimated the potential cost of data breaches for the healthcare industry could be as much as $5.6 billion annually, with the average breach costing $2.1 million per hospital.
Why hospitals are easy targets
A 2015 study by the Ponemon Institute, a security research firm, showed criminal data breaches have more than doubled in the past five years against healthcare providers with almost 90% hit by a breach between 2013 and 2015.
What’s surprising is that roughly half of healthcare facilities surveyed said they lacked sufficient technology to prevent or detect a breach, and 33% said they had no incident response plan.
Also, 16% of CIOs don't know when they are being attacked, according to the KPMG 2015 Healthcare Cybersecurity survey. Although the survey showed that spending to prevent cyberattacks has increased at most healthcare organizations, it has to be on the right initiatives and fit the organization’s strategy.
“There are no cookie-cutter approaches to security," Greg Bell, who leads KPMG’s cyber practice, said in a press release. "An organization with a mobile workforce may have a far different technology need from an organization that processes healthcare claims.”
“Hospitals need to gain visibility into the types and categories of data and where they reside,” Andrew Hay, CISO at DataGravity, told Healthcare Dive. "It falls under the umbrella of being ‘data aware’ – knowing where all the sensitive files are located and who has access to them."
Hay added that being able to locate where different data is stored on different systems, and knowing who last accessed or updated a file is one challenge hospitals currently face.
This can be even more challenging with networked devices, and with other places data may be stored, including the cloud.
As more hospital consolidations occur, user-access auditing becomes even more important, Hay said. “The new partners you may be working with – their security standards and policies have almost no visibility and you have no control over them.”
It’s difficult for hospitals to calculate how much data security will cost because it depends on the hospital’s own internal risk assessment, Hay said.
Wearables and medical devices provide a backdoor for hackers
Keeping patients out of the hospital goes hand-in-hand with new medical equipment that can transmit patient information electronically to healthcare providers.
This is not just fitness trackers, but also blood pressure and heart rate monitors and other biometric devices. Ransomware is predicted to start infiltrating wearables and medical devices this year, according to a recent Forrester Research report.
Some security experts say the attacks may go beyond using medical devices to encrypt databases and in a disturbing twist, hackers may actually have the ability to disable these devices, holding patient care at ransom.
The Food and Drug Administration (FDA) has been concerned about hackers accessing hospital networks via medical devices and issued a guidance document for healthcare organizations in Oct. 2014. The agency states on their website, “FDA is concerned about the security of networks because vulnerable off-the-shelf (OTS) software can allow an attacker to get unauthorized access to a network or medical device and reduce the safety and effectiveness of devices that connect to those networks.”
In fact, after discovering that infusion pumps made by Hospira Inc. were susceptible to hackers via a hospital’s network, the FDA issued a warning this past June to hospitals not to use the devices.
“This vulnerability could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies,” the agency stated in the warning, as reported by Reuters.
Lee Kim, director, privacy and security at HIMSS North America told Healthcare Dive via email that more digital equipment might translate into a larger attack surface. However, hospitals can implement several countermeasures, including whether the digital equipment needs to be Internet-connected, has an upgrade pathway for security fixes and updates, which may resolve security issues, and compensating controls implemented to mitigate or eliminate cybersecurity risks.
Is there a need standardized guidelines or laws for data security?
Since ransomware “locks” data and doesn’t steal it, ransomware incidents do not have to be reported as required under data-breach notification rules. The Department of Health and Human Services (HHS) requires hospitals to report breaches involving more than 500 patients.
“The data is encrypted, not stolen, and there’s very little financial incentives to report it,” Chris Doggett, senior vice president at Carbonite, told ibtimes.
Although Andrew Hay said data security guidelines would be welcome by the industry, efforts to date have been somewhat scattered by different groups.
The Cybersecurity Act of 2015 has a specific section (405) dedicated to healthcare, and includes mandating that HHS establish a collaborative process to establish voluntary guidelines, best practices, and standards.
"I believe the government would like to have regulations they could implement that people could point to," Hay said. "On the other hand, the other half wants the government to stay out of it. It becomes a political issue at that point."
However, Senator Robert Hertzberg (D-Van Nuys) has recently introduced legislation (SB 1137) that designates ransomware attacks equal to extortion. The bill outlaws the practice of infecting any computer, system, or network with ransomware, and states that a person engaged in the activity could be convicted with a felony and be given a sentence of up to four years in prison, according to a press release from Sen. Hertzberg’s office.
“Nearly every day we read in the news about data breaches and online criminal activity," Hertzberg said in a statement. "We must be clear that we will not tolerate this kind of conduct, and that using modern tactics to engage in age-old thuggery of ransom and extortion do not change the seriousness of the crime.”
Sen. Hertzberg told Healthcare Dive via email he expects the California bill "to be strongly supported in the Legislature."
If the bill does pass, it will be interesting to see whether other states enact similar laws. Then, it may reduce the number of ransomware attacks and discourage developers like the ones who have wrought $325 million in damages from Cryptowall 3 - one of the most notorious ransomware strains.