Last month the healthcare industry received a wake-up call when a medical center’s health data was held hostage by cybercriminals. These ruthless individuals had no regard for the victims or impact it may have had on thousands of patients. It truly is an upsetting realization that these common thieves are invading our healthcare systems with absolutely no concern for the innocent patients whose well-being and care are affected most.
This particular instance involved the computer system at Hollywood Presbyterian Medical Center, based in Los Angeles, Calif. Their system was down for more than a week following a ransomware attack with hackers demanding $17,000 in bitcoin. During the time this time hospital staff were forced to communicate using paper and faxes. The hospital ultimately paid the ransom in order to obtain the decryption key and restore system functions. While in this instance, there was no disruption in patient care due to the excellent providers and caregivers at the hospital, think about what could have happened or what could happen next.
There was a similar attack just last week at Ottawa Hospital where attackers broke into the hospital’s network with ransomware in an attempt to encrypt their computers. The hospital, located in Ottawa, Canada, had 4 of its 9,800 computers infected with the malware that effectively locked down the machines making it impossible for workers to access any of the stored files. Ottawa Hospital stated the attack was quickly discovered, the four computers were isolated, and no patient information was compromised.
These viruses present a new kind of threat attack where hackers encrypt a computer network's data to hold it "hostage”, providing a digital decryption key to unlock it for a price. This attack, and other attacks like it, are referred to as ransomware or crypto viruses and they are malign. They can infiltrate an entire system no matter what security features are in place, and can take many different forms, making it difficult for even the most seasoned IT expert to detect before it’s too late. These methods of entry can include an attachment in a legitimate appearing email perhaps from someone you know such as a vendor, a friend or even a pop up from your favorite shopping site. Once that button is clicked, this malware gains entry and the damage can be devastating. A house with a state-of-the-art alarm system is protected against a burglary when it is armed; but if you leave the front door open a thief can sneak in. If this is the case, then what can we do? We can start with increased education, network firewalls and disaster recovery.
The attack at Ottawa Hospital is a shining example of how system security measures and an educated workforce can come together to overcome a ransomware attack and keep patient data safe. While there was a loss of data, it was not as significant as it could have been because the damage was contained. It demonstrates that this kind of attack can happen to anyone anywhere, and we all need to fully prepare our facilities and staff for the inevitable. You can educate your teams to this threat by ensuring they are very aware of the potential harm that lurks within any email attachment and link. You should educate your staff to notice anything out of the ordinary (this could include an unexpected email from a trusted source, a sender that is familiar but appears slightly different, an attachment that looks suspicious, or the sudden inability to access files) and then go a step further to make sure they know who to immediately contact if they experience these issues. Getting the information to an IT expert as quickly as possible will allow them to isolate the infected software and shut it down before the entire system is damaged. When in doubt just don’t open anything, forward it to your IT team to investigate, or follow-up with the sender if you are unsure. When driving, you are supposed to be a defensive driver — anticipating dangers from other drivers or conditions with an aim to reduce the risk of collisions; we can say the same about cyber security. You need to constantly anticipate an attack, almost be paranoid, and train your staff to do the same
No patient or provider should have to suffer the negative consequences of a healthcare data outage due to these criminal actions. That’s why we strive to plan for the unexpected and make sure our clients are not only taking the necessary precautions such as using firewalls, installing and maintaining anti-virus software, and limiting network access, but also going a step further by focusing on staff education and having a plan in place in the event of a data catastrophe. By working together we can all be prepared, awareness is preparedness.