As was summarized in this publication’s introduction to the first article in this two-part series on the ransomware crisis, published on April 18, ransomware has blossomed into a crisis-level phenomenon recently in U.S. healthcare. The first nationally reported mainstream media news story in this drama was that around Hollywood Presbyterian Medical Center. On Friday, February 12, NBC4News, the local affiliate of the NBC network in Los Angeles, reported in its noon and evening broadcasts, and then online, this story: “Hollywood Hospital ‘Victim of Cyber Attack.’” And since that moment, ransomware attacks have rarely been out of the mainstream media headlines, with revelations of attacks that have brought down electronic health record (EHR) and other clinical and operational information systems at the 10-hospital Columbia, Md.-based MedStar Health (first media report March 28), as well as at Methodist Hospital in Henderson, Ky. (first news report March 21), Alvarado Hospital Medical Center in San Diego, and Chino (Calif.) Valley Medical Center and Desert Valley Hospital in Victorville, Calif. (news stories on March 31), and Kings Daughters Health in Marion, Ind. (first news report Apr. 1).
What’s more, these reports represent a small percentage of the actual ransomware attacks taking place at hospitals and other patient care organizations nationwide; they involve situations in which full shutdowns of EHRs and even enterprise-wide information systems have taken place, and thus have garnered mainstream media attention. All those industry experts interviewed for the first ransomware article indicated that they are aware of ransomware attacks happening at least weekly now in the U.S., though in the majority of cases, patient care leaders have been able to respond to such attacks in ways that have avoided necessitated total shutdowns.
In the first article, we quoted Mac McMillan, CEO of the Austin, Tex.-based CynergisTek consulting firm, as saying of the explosion in ransomware activity, “I don’t know that I would call it crisis mode, but I will say that it’s a very serious threat to the industry right now, primarily because it’s a very concerted effort on the part of the cyber criminals to take advantage of weaknesses in the industry that they figured out they could exploit fairly readily. It has shone a bright light on the lack of preparedness in the industry for these kinds of attacks.,” he told us. “The problem now is that it’s happening so frequently and randomly, so it’s not like you’re being attacked directly—everyone who is connected is being attacked.”
After providing a sense of the overall landscape, those industry experts interviewed for the first article in this series gave an overall set of recommendations for a plan to prepare to meet the ransomware challenge. Here are some of the key factors they shared with us as being essential elements to any such plan:
Ø Above all, what is needed is awareness, buy-in, and support, from the CEO and the c-suite of the patient care organization and from its entire board of directors, as well as from senior management across the enterprise
Ø An information security/data security/cybersecurity strategic plan, fully articulated
Ø In most cases, the use of external services, such as security operations centers (SOCs), and other external consultants and vendors, to support data security management and operations
Ø As part of day-to-day operations, very frequent system-wide backups (possibly daily backups of at least portions of entire information systems, with annual, semi-annual, or quarterly testing of daily/frequent backup processes), behavioral monitoring and auditing processes, continuous updating of antivirus program signatures, continuous server patch updates, and the routinization of other operations-critical processes, with fail-safe verification processes in place
Ø Stronger limits on role-based user access to file-shares, systems and networks
Ø Intensive, comprehensive, continual education and training of all end-users of EHRs and other clinical and operational systems, especially including continual training around phishing
Ø In most cases, the hiring and support of a CISO and data security team
Ø Continuous budgeted funding sufficient for the above
Forging Ahead: What Healthcare IT Leaders Should Be Doing Now
So, what should CIOs, CISOs (chief information security officers), and other healthcare IT leaders be doing right now to protect their organizations from these threats? John Weller, CISO at Metro Health Hospital in Grand Rapids, Mich., part of the Metro Health system, says, “As a CISO, I’m relying on the operations to implement and monitor security threats. As CISOs, we try to find our weaknesses and see how we can compensate for them or solve them.”