A frightening new kind of malware has made headlines all over the world during the past few years. Ransomware is a hack that really represents the digitization of an age-old tactic: the holding of hostages. However, in today’s data-centric world, the hostage is not a human being, but your patient data.
Ransomware targets your network systems for unauthorized access to your data. Once successful, the software will “lock down” your files and folders, encrypt them and shut you out. Hackers then demand you pay a ransom for the release of your data, or threaten to destroy it.
Ransomware has devastating ramifications in many industries, but especially in healthcare. Medical offices are some of the most vulnerable when it comes to fending off these attacks. That’s why experts in the field are urging medical administrators and other stakeholders to carefully examine the risks and figure out ways to keep this new threat at bay.
Providers Slow to Update Security
One of the big challenges of keeping your patient information safe is the burden of implementing patches and version updates, replacing old hardware and software, and generally keeping up with the pace of digital security changes.
In a sense, software has a shelf life when it comes to security. Software makers often end support for old and obsolete software. Ultimately, you are expected to keep on top of these changes and update your systems accordingly.
However, in many cases, this is not happening.
Why are medical providers so slow to update systems? One of the biggest reasons is because it causes downtime – components may have to be taken offline, or shut down, to perform these upgrades.
In medicine, it means angry delayed patients, clinical mistakes or other serious problems. Disruption is something that many doctors and medical professionals can’t afford – and so they make do with IT tools that have outlived their security coverage.
It’s a little like the problem of renovating New York subway stations – the best fixes would entail shutting down transport lines that travelers use 24/7. That’s how it is in the medical world, too, and administrators often sacrifice security to preserve continual access. Whether that’s the right play or not depends on a very complicated risk analysis.
Ransomware in Medical Device Interfaces
There’s another big problem making medical providers particularly vulnerable to malware attacks. Unlike some other types of enterprises, hospitals and medical facilities use a wide range of other digitized machines, which come with their own operating systems and interfaces: x-ray machines, EKG monitors, IV controllers, vital sign collectors, to name a few.
These auxiliary machines can also house key patient data – and many of them do it in real-time. So, attacks to medical devices can be serious for you as well.
A report in Forbes provides an actual example of ransomware hitting a medical device inside of a US care facility In a May 2017 article, Forbes staffer Thomas Fox-Brewster covers the alleged infection of a Bayer radiology machine. Noting a lack of specific confirmation of any single device infection, the story includes a picture of an equipment display screen with the dismaying handmarks of WannaCry sprawled across it. It also goes over responses by the manufacturer, including promises to install corrective patches.
If the diagnostic machines that you use every day are also Trojan horses for ransomware, this ups the ante yet again. It shows why it’s so crucial for you to know everything you can about how to keep patients and their data safe.
HIPAA Hits Hard
Considering the stringent HIPAA rules that can lead to millions in fines and penalties (or even jail time), leaving your patient information exposed is simply not worth the risk.
The Office of Civil Rights (OCR) on the Health and Human Services' (HHS) website is full of healthcare organizations that never dreamed they could be found guilty of a HIPAA violation - and yet they were.
It doesn't matter if you work in a hospital system or are a solo-practitioner. It doesn't matter what state you're located in or what specialty you practice. And the "I didn't know" excuse isn't going to fly either. Unless you take action, you're at risk.
But with a little help, you CAN shield your practice from ransomware attacks and the massive fines and penalties that a HIPAA breach can create.
If you would like some help protecting your patient information from ransomware attacks, you can access an online training lead by privacy expert John Brewer. During his 60-minute session, he’ll walk you through how to identify the top security threats in your office, and how you can resolve them.