Ransomware is becoming a growing problem for the healthcare industry. And with around a dozen attacks on hospitals being reported since the beginning of the year, you may be wondering just how severe the problem is. Should you be alarmed? How can you protect your practice? Here’s an inside look at how the ransomware epidemic is affecting the US and Canadian healthcare systems.
The ransomware strike on Hollywood Presbyterian Medical Center on February, 5 was one of the first major attacks this year. The hospital lost control of its computer system to hackers and was forced to pay them $17,000 to regain control.
“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this,” stated Allen Stefanek, president of the medical center.
Thankfully, access to Hollywood Presbyterian’s EMR system was restored on Monday February, 15, over a week after the initial attack. So what can be learned from this story? Well, it raises a very important question…
Should you pay a hacker who’s infected your system with ransomware?
It’s a vexing question, and unfortunately the consensus on the answer is split. The problem is that the ransomware is very intelligently designed. And while it may sound absurd to pay so much money to a hacker, especially when there’s no guarantee your systems will be restored, oftentimes there’s not much choice.
“The ransomware is that good. To be honest, we often advise people just to pay the ransom.” said Joseph Bonavolonta, an Assistant Special Agent of the FBI’s CYBER and Counterintelligence Program.
While Bonavolonta and other law enforcement officials have advised to pay the ransom, the US government has oddly enough said the opposite. In a release made public late last month, they noted, “Individuals or organizations are discouraged from paying the ransom, as this does not guarantee files will be released. Report instances of fraud to the FBI at the Internet Crime Complaint Center.”
The reasoning behind this argument is that by paying the ransom, you’re encouraging hackers to attack more practices.
How deep does the ransomware epidemic go?
According to Symantec’s 2015 Internet Security Breach Report, the healthcare industry had the highest number of data breaches for four years in a row and suffers 37% of all breaches that occur. In fact, last year alone there were more than 250 separate incidents of data breaches in healthcare totaling over 112 million records. And the problem doesn’t look to be getting any better as many experts believe that attacks are likely to grow in number and scale.
Hackers know that most healthcare facilities haven’t installed proper security measures to protect themselves. Hospitals have tight budgets, often emphasize convenience over security and have multiple entry points into their system, all of which makes them easy prey for cyber criminals. Of course hackers don’t breach a system just because it’s easy. They do it because there is valuable information stored inside, and healthcare facilities are ripe with info that can fetch a high price on the black market and help criminals steal a patient’s identity. The fact that the system is easier to breach just makes healthcare facilities a more alluring target
What can you do?
It all starts with paying more attention to security in general. But some tips to help any practice secure their system should include staff training that allows employees to better identify phishing emails, restriction of access to sensitive information, encryption and two factor authentication. While these are a few basic tactics you can use to get started, consulting an IT provider that specializes in healthcare security can be a wise decision that provides peace of mind and safety for your valuable data.