Ransomware has been around for decades, but many of us weren’t paying this criminal activity much attention until early last month, when cybercriminals attacked a fuel line running from Texas to the East Coast. Hackers infiltrated the pipeline’s digital network, held it hostage by encrypting its data, and demanded a ransom in cryptocurrency for its return.
In response, Colonial Pipeline, the pipeline’s owner, shut down the pipeline, which caused fuel prices to skyrocket. Ultimately, Colonial paid the 75 Bitcoin ransom, which amounted to roughly $4.4 million.
Cyberattacks like this one have been on the rise for years. According to some estimates, ransomware attacks increased by about 485% from 2019 to 2020.
But why should physicians care about digital warfare? Here’s why: Hospitals, clinics, and other medical facilities have become prime targets for cyber gangs—and doctors play an important role in preventing things from getting worse.
Ransomware in healthcare
According to one report, ransomware attacks cost the US healthcare industry $20.8 billion in downtime last year.
Facilities hit by ransomware attacks have seen their EHRs shut down and surgeries delayed or rescheduled. In September, cybercriminals struck Universal Health Services (UHS), a large provider organization headquartered in Pennsylvania. It was forced to shutter digital networks at all 250 of its US facilities. UHS has 90,000 employees and treats 3.5 million patients a year, making it one of the nation’s largest healthcare networks. According to one emergency department technician, staff were forced to switch to pen and paper, and some patients had to be rerouted to other emergency rooms and facilities.
Another ransomware attack that took place last year targeted medical equipment manufacturers, pharmaceutical companies, and other firms involved in a COVID-19 vaccination supply chain. The attack ultimately affected 44 companies across 14 countries.
At this point, there’s probably a question lingering in your mind: Are these attacks harming patients? The answer is yes. According to various media reports, a cyberattack in Germany led to the rerouting of a patient from a hospital in Dusseldorf, which was shut down after a cyberattack in September. The patient, who required urgent medical care, died en route to another facility 20 miles away.
The case illustrates why ransomware attacks on the healthcare industry are on the rise: In hospitals and clinics, downtime could mean the difference between life or death for patients. Knowing this, hackers are more likely to target healthcare providers, and administrators are more likely to pay ransoms.
What doctors need to know about ransomware
As discerning as they are, physicians and other healthcare workers represent a primary entry point for hackers looking to infiltrate provider organizations. Many large attacks start in seemingly innocuous ways, like via email phishing. This is something that Mahdi Hedhli, founder and CEO of cybersecurity firm GoVanguard in New York City, knows all too well.
“The vast majority of breaches still start from a social engineering aspect, like human error,” Hedhli said during an exclusive interview with MDLinx.
Founded 8 years ago, Hedhli’s firm specializes in preventing such attacks before they occur. The best way to make that happen? If you want to beat cybercriminals, you have to think and act like them, said the firm’s VP of cybersecurity, Christian Scott.
“We simulate real malicious actors. And in that process we try to create teachable experiences for those organizations so that they can improve their security,” Scott said.
After launching a sham attack, the team’s “White Hat” hackers (the opposite of malicious “Black Hat” hackers) send a report to the company pinpointing weaknesses in their defenses, what kind of data they could have stolen, and the impact it could have had on their business. Next comes a remediation plan for how to shore up those security gaps.
Prior to entering the cybersecurity business, Scott and Hedhli set up networks and provided IT services to hospitals and healthcare firms. Now, roughly 30% of their clients are healthcare organizations. Thanks to that experience, the pair understands the steps healthcare workers and administrators should be taking to best protect themselves.
“Healthcare institutions are awesome for hackers to target. There’s a lot of money in healthcare, and on top of that, the healthcare sector in particular is plagued with a lot of legacy technologies,” Scott said. “They’re usually tied to a lot of really old electronic medical record environments, patient management systems, patient portals, practice management systems. … I've even seen healthcare institutions today, they’re still stuck using things like Windows 7, which is no longer supported by Microsoft. But the reason why they’re stuck with Windows 7 is because their EMR doesn't actually support Windows 10 yet.”
A perfect solution would be to upgrade all these systems, but that’s not always feasible. In lieu of that, Scott said all healthcare organizations should have a technology department with at least one individual in charge of security.
“It’s really important that healthcare institutions start being more proactive and engage third parties in the process of conducting penetration tests, ransomware simulations, that kind of stuff,” he said, adding that tests like these can result in lower cyber liability insurance premiums for organizations.
If you don’t think this is happening at your practice or hospital, you might want to talk to an administrator about it. Hedhli noted that a good practice for hospitals would be to use different cybersecurity firms for each repeated penetration test.
“We tell our own clients: Don't come back to us for every pen-test,” he said. “You'll get different results from different cybersecurity firms, just as you would with different malicious actors.”
Beyond penetration testing, Scott said, organizations often fail to conduct the right kind of end-user security awareness training. While many firms might offer a catch-all training for everyone at the company, most should be targeting employees who are more vulnerable to attacks. Leaders can start by assessing their staff and sending out their own phishing emails to understand which healthcare workers could benefit from additional education.
In addition, Scott said, healthcare workers need to pay particular attention to their devices. He often sees employees using personal devices, rather than company cell phones or laptops. This could be a HIPAA violation, which not only brings increased risk of security breaches, but the potential for hefty fines.
“I see myriad doctors texting back and forth with patient information, which is a huge no-no,” he said. “They're using a personal device and there’s healthcare information on it. That device gets infected, that device gets brought into the company network, then it spreads from there.”
Before working to bolster cybersecurity defenses, physicians and other clinicians should know that testing and training aren’t one-and-done engagements, Hedhli noted. Cybersecurity and cybercriminals are in an ongoing arms race, so security is more like a journey than a destination.
“Anybody working with any sort of protected information really needs to be tested on an ongoing basis, he said, “because there is no silver bullet when it comes to security. It’s an ongoing process.”