Think You’re Not a Target? Don’t Kid Yourself

The number of ransomware attacks on healthcare systems rose by 123% from 2019 to 2020. Smaller medical organizations think they’re safe because of their size. Here’s a dose of reality – smaller companies have less money to spend on cybersecurity. They’re an easy target.

The coronavirus pandemic increased the vulnerability of public and private healthcare systems. Data was more vulnerable and the need to restore it more urgent. There was no room for negotiation.

From hospitals to pharmacies, they paid the hackers. Even following that model, it took most weeks to get back from EHR downtime protocols. Some faced double extortion. Hackers stole patient records before they took over the system.

In 2020, U.S healthcare systems paid out over two million dollars in ransom to regain access to their systems. That cost doesn’t include legal fees, cybersecurity forensics, and operational losses.

What is Ransomware?

A ransom pays for the return of a kidnapping victim. Hackers are data kidnappers who release malicious software into a system. The patient data isn’t necessarily removed from the system, the malware encrypts access to it. Sometimes hackers will steal records first to sell on the dark web. Either way, once the kidnappers are inside the system, they take control. The organization no longer has access to the system’s data or functions.

The hackers let the organization scramble for a bit to build urgency, then they make contact. They set a price for the release of the data and the payment method. Cryptocurrency is the norm for most transactions. Once the organization pays up, the hackers release the data. The organization still won’t know when or how the hackers got in. It can cost hundreds of thousands of dollars to find the back door and make sure the system is secure.

According to a 2021 Cyber Threat report Sonic Wall, there were 304 million ransomware attacks around the world in 2020. Cyber-extortion is a profitable crime without much risk. Hackers cover their tracks with anonymous cryptocurrency transactions. There is every indication that ransomware attacks will continue to rise.

In the past decade, the government has prioritized and required the use of electronic medical records. Sharing patient data is a driver behind the Centers for Medicaid and Medicaid’s new payment model. Medical data is time-sensitive, loss of access can have urgent consequences for patients. That makes every healthcare system a prime target. Don’t think it won’t happen to your practice. If it happens to a hospital where

(Read: Value-Based Care: The Financial Impact for Doctors)

Public & Private Health Infrastructure

The pandemic unveiled many weaknesses in our public health systems. State and federal budgets have been cut, jobs eliminated. There are too few bodies in the seats. Too many experts and analysts have retired or moved on to better jobs. Federal funding for emergency preparedness at the CDC was cut by 50%. The AMA reports that state funding for public health has fallen 16% in the past decade. When we have a period without a public health emergency, the rug gets out from under our response capability.

Public health systems are desperately underfunded. The modernization of the VA’s EHR is going to cost up to $1 billion to $2.6 billion more than anticipated. It’s unclear how security is managed. Medical information is exchanged between agencies, on the internet, and mobile devices. Smartphones to sensors, co-pays to consults, private medical data fly around with unencrypted ease.

Large private healthcare systems are definitely digital. Their goal is quality of care but also increased efficiency. Think of how many people are on the system in the hospital itself, the consider the external connections. How many third parties are connected? Insurance providers, online payment processors, and  EMTs? Temp administrative staff, doctors with admitting privileges, hospice workers, and mortuaries?

In the U.S, there are 350,000 unfilled positions for cybersecurity professionals. Competition for talent is high and for Health IT professionals – even higher. Do you think any healthcare system, public or private, can monitor the security of all those systems and devices?

Based on the examples below,  probably not.

Ransomware Case Studies

hackers

The latest report from Comparitech traces the health system breaches in 2020. There were 92 ransomware attacks on 600 clinics and hospitals, affecting 18 million patient records. Organizations are only required to report a HIPAA breach if it affects 500 people. It’s very feasible smaller practices have had incidents that were never reported, not even to their patients.

The worst ransomware breach of 2020 came from a third-party IT provider.

The Blackbaud Breach

Blackbaud is a cloud services provider. Their services include payment processing, financial management, and fundraising for endowments. Beyond the universities and non-profits,  100 U.S. healthcare organizations were affected. Over 12.3 million patient records were exposed.

Blackbaud originally said they stopped the hackers before they could control access to any data. Most cybersecurity professionals think they paid the ransom. Later the company had to acknowledge that a subset of data was stolen. It included usernames, passwords, and credit cards. It was double extortion, hackers steal the data before they encrypt the system.

Customers are less than pleased with Blackbaud’s response. The attack happened on Feb. 7, wasn’t caught until May, and didn’t inform their clients until July. The attack cost the company $3.6 million to restore services. They face over 20 lawsuits in the United States and Canada.

Ransomware Attack at Scripps Health

A ransomware attack took place in May 2021 at the four Scripps Health hospitals in San Diego. The attack shut down their Epic EHR system and their patient portal. Emergency care patients were diverted from these locations, patient cancellations were high.

Telemetry data and imaging capacity were offline. The hospitals continued to operate under a paper records protocol, but many surgeries were postponed. It took 27 days to regain control of their systems. At this time, there’s no information about how much they paid to regain access or how many records were breached.

Universal Health Services (UHS) Breach

In September of 2020, UHS went to EHR downtime protocols after a ransomware attack took down all 400 medical facilities. Hackers locked down computers and phone systems at some facilities. Initially, UHS referred to the incident as an IT disruption but eventually had to acknowledge the attack. Some ambulances were diverted during downtime and some surgeries were delayed. It took a total of three weeks to bring the systems back online. In February 2021, UHS reported lost revenue of $67 million pre-tax dollars due to the breach. There’s been no disclosure of the ransom payment or clarification of whether any data was stolen. As of May 2021, they are being sued by a patient whose surgery was delayed.

GenRX Ransomware Attack

GenRX Pharmacy in Arizona was subject to a ransomware attack in September of 2020. The company remained operational by using data backups. A team of IT experts managed to fend off the hackers and GenRX refused to pay the ransom. But while hackers had access to the system, they stole 137,000 patient records. When the ransom was denied, the data was exposed on the dark web.

Cyber Security Investment

Breaches in healthcare data are the most costly of any industry. The average cost of a breach is $6.45 million. According to the HIPAA Breach portal, there are 773 hacking incidents under investigation in the past 2 years. The database doesn’t specify the type of hack, but an internet search of a provider’s name will solve that question.

Smaller companies think they won’t be targeted but their systems lack sophisticated protections. They are easily hacked. A practice with 1000 patient records is less time-consuming to breach than a hospital system. If a team of hackers got into two small systems a day, they offer a $10,000 ransom. The figure is manageable for the practice, so they pay up. In 30 days, the hackers could net $600,000 with little effort.

It may be hard to keep a cybersecurity professional on staff. The talent market is very competitive  and salaries are high. Consider using a cybersecurity firm to protect your systems and keep you in compliance. Depending on the size of your organization, the cost can range from $5000 to 20,000 a month, $60k to 240k a year.

If you think that’s too expensive, see how many records are stored in your EHR and multiply that by $469. Then try and calculate the damage to your reputation, patient loss of trust  and possible legal liability. Attacks against healthcare systems increased by 45% in the last quarter of 2020. If you’re still in denial about the scope of the problem – a new site is hit with a ransomware attack every 10 seconds.

What To Do Now

Instead of waiting for hackers to hit, you can take some actions to make their jobs a little harder. The most important thing is to help everyone understand the seriousness of the threat. Be clear how it can impact the organization, your patients and people’s jobs.

Do these things to protect your organization right now:

  • Train staff on how breaches happen
    • Phishing emails – NEVER CLICK A LINK!
    • Stolen devices
    • Sharing passwords
    • Disposing of old devices
  • Keep systems, servers and networks current
    • Make sure every end point in the system is set to automatically update when a new version or security patch is released.
  • Enforce strict passwords
  • No personal devices
    • Company equipment only for system access
    • Company devices only allow company email accounts
    • Pay for good malware protection and instill it on all company devices.
  • Remove dormant accounts
    • Keep record of every system an employee/temp has access to
    • When they leave their position, remove access to everything
  • Enable Access Controls
    • Have a network administer set up a hierarchy of privileged management controls, restricting access to certain users.
    • Isolate privileged credentials of those user to reduce risk of theft
    • A hierarchy eliminates threats introduced from phishing of low-level employees

No One is Immune to Ransomware

We strongly encourage all healthcare organizations, big and small, to protect their business and their patients. If you aren’t technically inclined, bring in a consultant to assess your systems. If your EHR is over five years old, you may want to plan for an upgrade or replacement.

The worst thing you can do is nothing. Because out there in the cyberworld bad actors are doing plenty. Set up a secure backup system that’s isolated from the main system. Back up everything every day. Even if your main system is attacked, you will have the data you need to maintain quality of care, even on downtime protocols.

The best strategy is to plan for an attack to happen. Do the most you can afford. Assume your system is being observed and watch for red flags. The Cybersecurity Infrastructure Security Agency (CISA) has a pdf of best practices and a checklist to help you secure your systems. Good luck.

 

Share This