Kansas Heart Hospital. Chino Valley Medical Center. Desert Valley Hospital.
Those three hospitals all have reputations for providing high-quality care, but they also share a dubious distinction: They are some of the most recent additions to the growing list of healthcare facilities that have been hit by crippling ransomware attacks in 2016.
The cybercriminals responsible for spreading ransomware have figured out that hospitals are prime targets for ransomware – malicious software designed to encrypt your computer files and hold them hostage until a ransom is paid – because hospitals would rather pay a ransom than put patient health at risk.
It's a tactic that paid off big in February when Hollywood Presbyterian Medical Center shelled out $17,000 in Bitcoin to regain access to patient files following a ransomware attack that took computers offline for more than a week.
Other healthcare facilities to be hit with ransomware this year include Methodist Hospital in Henderson, Ky., King's Daughters' Health in Madison, Inc. and MedStar Health, a network of 10 hospitals in Maryland and Washington DC. In those cases, however, the hospitals managed to avoid paying a ransom by retrieving clean versions of their files from backup and recovery systems.
“We knew we had a backup—I think we handled it as well as we could have,” said Linda Darnell, senior director of technology at King's Daughters' Health, in an April interview with Modern Healthcare. “We saw stories from other organizations that were hit, and those stories gave us the warning to be prepared.”
Victims of progress?
Hospitals make great targets for cybercriminals because doctors and nurses need quick access to up-to-date medical information about patients. Anything that prevents such access for any amount of time can lead to potentially dangerous delays, death and lawsuits. That's why hospitals are more likely to be targeted and more likely to pay up than other types or organizations. But it isn't the only reason they're being targeted.
Hospitals are also vulnerable because they're still in the process of adapting to the digital world. Several years ago, U.S. healthcare organizations were required to make the switch from paper-based filing systems to electronic medical health records – and many are still experiencing the associated growing pains.
At the same time, hospitals are far more likely to be focused on HIPAA compliance and training than cybersecurity improvements and ransomware prevention. In fact, more than 80% of healthcare organizations spend less than 6% of their IT budgets on security, according to recent survey conducted by security firm Symantec and HIMSS Analytics.
The result is that hospitals are being exploited – either through malicious computer viruses that target unpatched vulnerabilities in their software, or via social engineering, where hospital employees are fooled into opening dangerous email attachments or clicking on links that unleash ransomware.
What can hospitals do to protect themselves?
It's clear that many hospitals need to do more to improve security and prevent ransomware attacks. Here are some straightforward steps hospitals can take to get started:
- Work with IT teams to ensure that the latest security patches and updates are applied to software systems.
- Create a security awareness program that trains employees on how to avoid ransomware attacks, phishing emails and social engineering scams.
- Monitor IT networks closely for intrusions because cybercriminals will often hack into networks looking for vulnerabilities.
- Implement a comprehensive backup and disaster recovery plan because when ransomware strikes, it's the only way to get your data back without paying a ransom.