The ransomware epidemic continues to spread. According to the Federal Bureau of Investigation, ransomware victims in the United States reported a total of more than $209 million in losses in the first three months of 2016 alone. The U.S. Department of Justice has reported that an average of 4,000 ransomware attacks occur in the United States each day.
Given the amount of sensitive data maintained by healthcare providers, and the reality that certain providers’ cyber defenses are less robust than those in place in other industries such as financial services, the healthcare industry is an attractive target for cybercriminals. As the proliferation of ransomware continues, an increasing number of healthcare providers have fallen prey to these attacks. In a blog post, Jocelyn Samuels, director of the U.S. Department of Health and Human Services Office for Civil Rights (OCR), described the possibility of cyberattacks conducted using ransomware and other means as “[o]ne of the biggest current threats to health information privacy.” Indeed, many recent ransomware attacks have targeted major healthcare institutions. For example, in February 2016, ransomware at Hollywood Presbyterian Medical Center in California compromised access to the hospital’s computer systems for several days. Hollywood Presbyterian announced that it paid a ransom to unfreeze its files, but the cost of a ransomware attack can reach far beyond the ransom payment itself.
Paying the Ransom: Just the Beginning?
In the prototypical ransomware attack, a hacker installs malware on a company’s computer systems that prevents users from accessing critical data, often by encrypting that data. As the moniker “ransomware” would suggest, perpetrators then demand payment from the victim company in exchange for unlocking or returning the data.
Hackers can gain access to company computer systems through a variety of means, ranging from “planting” a seemingly misplaced thumb-drive carrying malware in a company parking lot (where it can be discovered by a well-meaning employee and inserted into a company computer), to spear phishing or other social engineering ploys to gain login credentials. Thanks to the availability of digital currency transactions, hackers can enjoy fast, remote, relatively anonymous access to cash paid by their sometimes desperate victims.
The healthcare industry is a particularly attractive target for ransomware attacks given the amount of data providers maintain, the importance of the data, and the gravity of denying access to that information. Blocking critical patient data can have crippling effects on the operations of a healthcare provider. When faced with potentially deadly consequences, some healthcare providers may feel pressure to pay the ransom, but succumbing to a hacker’s ransom demands may mark only the beginning of the company’s problems.
First, paying the ransom does not guarantee that the hackers will unlock the company’s data, and there is no way to ensure that the hackers will not corrupt or otherwise alter the data before returning the information to the victim healthcare provider. Paying a ransom also may embolden the attacker, encouraging further attacks on the institution itself or on other similarly-situated organizations within the industry.
Moreover, paying a ransom does not resolve the issue of any protected health information (PHI) affected by the attack. Ransomware attacks resulting in unauthorized “acquisitions” of PHI barred by the Healthcare Insurance Portability and Accountability Act (HIPAA) may trigger a provider’s notice obligations unless the covered entity can demonstrate a “low probability that the [PHI] has been compromised,” according to federal regulations. Otherwise, victim healthcare providers may need to provide notice to HIPAA’s primary enforcement agency, HHS OCR, and affected patients, among others. Companies then may face exposure to broad and often burdensome investigations, the scope of which may extend far beyond the parameters of the initial breach into a company-wide security program review.
Substantial payments can be required to resolve government investigations initiated by instances of unauthorized acquisitions of PHI. For example, earlier this year, HHS OCR announced that Advocate Health Care Network agreed to adopt a corrective action plan and pay $5.55 million to resolve potential HIPAA violations following breaches that affected the electronic PHI of approximately four million individuals. Similarly, in 2014, New York Presbyterian Hospital agreed to a corrective action plan and a $3.3 million payment to settle potential HIPAA violations.
How to Be Prepared
The time to start thinking about containment and mitigation is before an attack occurs. Responding to a ransomware attack can be daunting, but healthcare providers should consider the following key data management and information governance strategies when assessing the security of their systems:
Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.