Ransomware attacks on healthcare facilities continue to wreak havoc

For a variety of reasons, the healthcare profession continues to be plagued by ransomware incidents, with cybercriminals and their ill-gotten gains hampering efficiencies, disrupting operations and jeopardizing patient data. 

It’s not getting any better.  Ransomware attacks in the healthcare sector are predicted to quadruple between the years 2017 and 2020,¹ and will account for more than 70% of all healthcare malicious software (malware) outbreaks.²

Ransomware is malware designed to block access to a computer system or computer files until a sum of money is paid. Most ransomware variants encrypt the files on the affected computer, making them inaccessible, and demand a ransom payment to restore access. Health professionals generally have an understanding of the basics of how ransomware works.

Ransomware Attacks

Healthcare organizations are especially attractive to cybercriminals, thanks to the higher perceived likelihood of payment, the importance of the data stored on their networks, and the impression they are less prepared for ransomware demands.³

The healthcare sector is also frequently hampered by threats from inside.⁴ Digitally connected systems and operations are especially vulnerable to phishing emails inadvertently opened by healthcare staff, which opens the door to ransomware attacks.

Healthcare facilities’ reliance on technology to provide patient services also make them prime targets. A hospital or clinic may lose access to patient records or booking systems after an attack, impacting the provision of appropriate care, and potentially bringing a facility to its knees. The infamous WannaCry attack was especially damaging to the UK’s National Health Service (NHS), locking down computers and paralyzing NHS operations in 2017. It also left the NHS with a £73 million IT bill,⁵ much of it to restore systems and data. The downtime after a ransomware attack can last months.⁶

The NHS incident garnered the most headlines. However, there are many other recent examples of serious disruptions from ransomware that have temporarily or permanently disrupted patient care:

• In September 2019, three Ontario hospitals were infected by the Ryuk malware. Hospital email systems were taken offline, and they reverted to pen-and-paper-based systems. No ransom was demanded or paid.⁷
• Wood Ranch Medical, a small clinic in Simi Valley, Calif., closed on Dec. 17, 2019 because it could not regain access to any of its records after a ransomware attack. The ransomware attack encrypted the practice's servers containing patients' electronic health records, as well as its backup hard drives.⁸
• Medical facilities and hospitals across the state of Victoria, Australia were infected by file-encrypting ransomware in October 2019, causing the shutdown of patient booking systems and financial systems. The affected hospitals reverted to manual, paper-based systems to maintain services.⁹
• In October 2019, the U.S. DCH Health System temporarily ceased accepting new patients at three of its hospitals when a ransomware attack limited use of the hospital system’s computers. DCH ultimately decide to pay a ransom to decrypt the systems.¹⁰
• In July 2019, Sarrell Dental, the largest provider of dental services in Alabama, closed its network for two weeks to investigate the incident.¹¹
• In November 2019, a ransomware attack on a hospital in Northern France affected all five sites of the hospital complex and led to the need to restore systems.¹²
• In July 2019, 13 clinics in Germany were attacked by ransomware resulting in the clinics being unreachable by email, fax or telephone.¹³

Strategies to Mitigate Ransomware Risks

The first steps any healthcare organization can take to limit network and data harm from a ransomware attack is to recognize the risk and take the right actions. CNA Risk Control’s Nick Graf, Assistant Vice President, Information Security, suggests these valuable tips to mitigate your ransomware exposure:

Protect employees by:

• Conducting regular security awareness training and phishing campaigns.
• Making sure employees always operate with least privilege, only granting minimum access necessary for users to perform their work.

Protect your network by:

• Applying security patches within 30 days of release.
• Using email filtering to block spam and phishing messages, and Web filtering to block access to malicious websites.
• Segmenting the network based on the classification level of information stored on its systems.
• Monitoring critical systems, avoiding all unsupported operating systems or platforms, and having a process to decommission unused systems.

Protect data by:

• Backing up business data regularly.
• Testing backups for restorability, and ensuring they are stored offline and offsite.
• Having a formal incident response plan (designed to quickly contain an incident) as well as disaster recovery and business continuity plans, and testing them all annually.

Healthcare organizations also need to be aware that trusted third-party vendors could become infected with ransomware. This might result in information becoming unavailable or, even worse, attackers using a vendor’s network access to spread an infection and impact the healthcare organization’s corporate systems. Some ways to be more resilient against these outcomes include:

• Having a formal vendor management program that classifies each vendor’s type of data and level of access.
• Making sure every vendor operates with least privilege and requires multi-factor authentication.
• Requiring all vendors to protect information with safeguards at least as good as your own, and performing due diligence and annual audits to ensure they meet your standards.
• Requiring vendors to defend and indemnify you if they contribute to a cyber event or provincial/territorial privacy legislation breach, and to either have sufficient liquid assets and appropriate insurance coverage (which depending on the vendor’s business may include cyber, professional liability, and E&O) to cover their foreseeable liability.¹⁴
• Making sure each contract clarifies how data will be returned or destroyed at the end of an engagement.

Beyond taking steps to prevent ransomware attacks, a healthcare organization should prepare to respond quickly if an attack is successful. First, the organization will need to identify the threat and invoke its Incident Response Plan, taking time to contact law enforcement and its insurer. It may be necessary to power down systems as the organization works to contain the infection; healthcare organizations should develop a process for providing patient care during EHR downtimes (e.g., reverting to paper-based documents). After the malware is contained, it’s important to review the incident for lessons learned (preferably through a root cause analysis) and take all steps necessary to ensure a similar incident doesn’t happen again.

Unfortunately, a single ransomware attack can be devastating – and healthcare organizations may be especially vulnerable. By recognizing its risk and developing plans to prevent and respond to ransomware attacks, a healthcare organization will help protect its company – and its data –from this growing threat.

To access all other 2019 blogs: https://www.cnacanada.ca/web/guest/cnacanada/about/listofauthors
 

Ruth Stewart is the Senior Risk Control Consultant, Healthcare for CNA Canada. Ruth brings to her role a background in clinical nursing which includes experience in surgical, intensive care and trauma nursing as well as management of risk in the not-for-profit sector. She left the healthcare sector to work with an international broker using her clinical and operational knowledge to assist acute care and long term care insureds better manage their risks. Ruth works directly with insureds to manage operational risk, and develops publications, tools and other resources to help insureds manage risk. Ruth collaborates with a team of seasoned Healthcare Risk Control/Risk and Governance professionals in the US and UK to provide a comprehensive range of risk services to CNA’s insureds.

Ruth received her nursing training from George Brown College, and her Master in Health Administration from the University of Ottawa. She is a member of the College of Nurses of Ontario (CNO), and a certified member (CHE) of the Canadian College of Health Leaders (CCHL).