For a variety of reasons, the healthcare profession continues to be plagued by ransomware incidents, with cybercriminals and their ill-gotten gains hampering efficiencies, disrupting operations and jeopardizing patient data.
It’s not getting any better. Ransomware attacks in the healthcare sector are predicted to quadruple between the years 2017 and 2020,1 and will account for more than 70% of all healthcare malicious software (malware) outbreaks.2
Ransomware is malware designed to block access to a computer system or computer files until a sum of money is paid. Most ransomware variants encrypt the files on the affected computer, making them inaccessible, and demand a ransom payment to restore access. Health professionals generally have an understanding of the basics of how ransomware works.
Healthcare organizations are especially attractive to cybercriminals, thanks to the higher perceived likelihood of payment, the importance of the data stored on their networks, and the impression they are less prepared for ransomware demands.3
The healthcare sector is also frequently hampered by threats from inside.4 Digitally connected systems and operations are especially vulnerable to phishing emails inadvertently opened by healthcare staff, which opens the door to ransomware attacks.
Healthcare facilities’ reliance on technology to provide patient services also make them prime targets. A hospital or clinic may lose access to patient records or booking systems after an attack, impacting the provision of appropriate care, and potentially bringing a facility to its knees. The infamous WannaCry attack was especially damaging to the UK’s National Health Service (NHS), locking down computers and paralyzing NHS operations in 2017. It also left the NHS with a £73 million IT bill,5 much of it to restore systems and data. The downtime after a ransomware attack can last months.6
The NHS incident garnered the most headlines. However, there are many other recent examples of serious disruptions from ransomware that have temporarily or permanently disrupted patient care:
Strategies to Mitigate Ransomware Risks
The first steps any healthcare organization can take to limit network and data harm from a ransomware attack is to recognize the risk and take the right actions. CNA Risk Control’s Nick Graf, Assistant Vice President, Information Security, suggests these valuable tips to mitigate your ransomware exposure:
Protect employees by:
Protect your network by:
Protect data by:
Healthcare organizations also need to be aware that trusted third-party vendors could become infected with ransomware. This might result in information becoming unavailable or, even worse, attackers using a vendor’s network access to spread an infection and impact the healthcare organization’s corporate systems. Some ways to be more resilient against these outcomes include:
Beyond taking steps to prevent ransomware attacks, a healthcare organization should prepare to respond quickly if an attack is successful. First, the organization will need to identify the threat and invoke its Incident Response Plan, taking time to contact law enforcement and its insurer. It may be necessary to power down systems as the organization works to contain the infection; healthcare organizations should develop a process for providing patient care during EHR downtimes (e.g., reverting to paper-based documents). After the malware is contained, it’s important to review the incident for lessons learned (preferably through a root cause analysis) and take all steps necessary to ensure a similar incident doesn’t happen again.
Unfortunately, a single ransomware attack can be devastating – and healthcare organizations may be especially vulnerable. By recognizing its risk and developing plans to prevent and respond to ransomware attacks, a healthcare organization will help protect its company – and its data –from this growing threat.
1 Healthcare Industry To Spend $65 Billion On Cybersecurity From 2017 To 2021. https://cybersecurityventures.com/healthcare-industry-to-spend-65-billion-on-cybersecurity-from-2017-to-2021/
2 Verizon 2019 DBIR https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf
3 CBC News. (2019). Here's what we know about the ransomware that hit 3 Ontario hospitals. Retrieved at https://www.cbc.ca/news/technology/ransomware-ryuk-ontario-hospitals-1.5308180
4 Verizon 2019 DBIR. Op. Cit.
5 NS Tech. (2018). The WannaCry ransomware attack left the NHS with a £73m IT bill. Retrieved at https://tech.newstatesman.com/security/cost-wannacry-ransomware-attack-nhs.
6 Medtechdive. (2020). Hospitals clinics most likely to be hit with ransomware attack. Retrieved at https://www.medtechdive.com/news/hospitals-clinics-most-likely-to-be-hit-with-ransomware-attack/572106/
7 CBC News. Op. Cit.
8 Wood Ranch Medical. (2019). Wood Ranch Medical Notifies Patients of Ransomware Attack. Retrieved at https://www.woodranchmedical.com/.
9 Healthcare Info Security. (2019), Australian Medical Facilities Hit by Ransomware. Retrieved at https://www.healthcareinfosecurity.com/australian-medical-facilities-hit-by-ransomware-a-13167.
10 Advance Local Media. (2019). DHC health System still grappling with ransomware attack. Retrieved at https://www.al.com/news/2019/10/dch-health-system-still-grappling-with-ransomware-attack.html
11 HIPAA Journal. (2019). 391,472 Patients Impacted by Sarrell Dental Ransomware Attack. Retrieved at https://www.hipaajournal.com/391472-patients-impacted-by-sarrell-dental-ransomware-attack/.
12 Forbes. Infection Hits French Hospital Like It’s 2017 As Ransomware Cripples 6,000 Computers. Retrieved at https://www.forbes.com/sites/daveywinder/2019/11/20/infection-hits-french-hospital-like-its-2017-as-ransomware-cripples-6000-computers/#736ce953576e.
13 Dracoon. (2019). Once again, ransomware-attack in German hospitals – hazardous situation remains. Retrieved at https://www.dracoon.com/2019/07/19/ransomware-attack-again/.
14 Office of the Privacy Commissioner of Canada https://www.priv.gc.ca/en/about-the-opc/what-we-do/provincial-and-territorial-collaboration/provincial-and-territorial-privacy-laws-and-oversight/
To access all other 2019 blogs: https://www.cnacanada.ca/web/guest/cnacanada/about/listofauthors
Ruth Stewart is the Senior Risk Control Consultant, Healthcare for CNA Canada. Ruth brings to her role a background in clinical nursing which includes experience in surgical, intensive care and trauma nursing as well as management of risk in the not-for-profit sector. She left the healthcare sector to work with an international broker using her clinical and operational knowledge to assist acute care and long term care insureds better manage their risks. Ruth works directly with insureds to manage operational risk, and develops publications, tools and other resources to help insureds manage risk. Ruth collaborates with a team of seasoned Healthcare Risk Control/Risk and Governance professionals in the US and UK to provide a comprehensive range of risk services to CNA’s insureds.
Ruth received her nursing training from George Brown College, and her Master in Health Administration from the University of Ottawa. She is a member of the College of Nurses of Ontario (CNO), and a certified member (CHE) of the Canadian College of Health Leaders (CCHL).