In August 2004, while living and working in South Florida, I experienced two hurricanes (Jeanne and Frances) within three weeks of each other in the same geographical location. While these natural disasters crippled local power and water supplies, my hospital provided care to patients – damaged generator, leaking roof, and all.
In the midst of crisis, my hospital executed its disaster preparedness plan, enabling it to continue to serve people in need. Today, while hurricanes and other weather events remain a threat to hospitals across the country, another potentially crippling threat has emerged: ransomware attacks.
Ransomware is a form of malware which restricts a user’s access to whole systems or operating systems through encryption. In ransomware attacks, hackers manipulate users into downloading malicious software – often by clicking a link in an email – and then extort them for money (typically, bitcoin, a relatively untraceable digital currency) for the “key” to decrypt their data.
Although ransomware attacks are nothing new, recently, hackers seem increasingly to be targeting hospitals. More so than most businesses, hospitals rely on up-to-the-minute digital data to make critical patient care decisions, and so may be more inclined to accommodate immediate hacker demands. Additionally, while the shift to Electronic Health Records (EHR) mandated by the Affordable Care Act has helped to improve quality, safety, and efficiency of patient care, it has also rendered hospitals more prone to cyber attacks.
As they move toward Meaningful Use compliance, it’s critical hospitals recognize the new risks that come hand in hand with these advancements, and mitigate them with an executable plan for ransomware and other attacks. While these events may seem like distant threats, they are increasingly common, and there are serious consequences to not having a plan in place.
In March, Methodist Hospital in Kentucky was hit with the “Locky” strain of ransomware, which according to cyber crime expert Brian Krebs, “encrypts important files, documents and images on an infected host, and then deletes the originals.” The ransomware spread to other networks, prompting the hospital to declare an “internal state of emergency.” Weeks earlier, Hollywood Presbyterian Medical Center in Los Angeles was targeted in a similar attack, ultimately resulting in it having to pay a ransom of $17,000. If the ransoms hadn’t been paid, and the attacks weren’t neutralized in some other way, these hospitals could be facing widespread patient complications, threat of lawsuits, or worse.
To guard against these risks, and to protect their facilities and patients, executives may help prevent and prepare for such attacks by considering these three steps:
- Perform Regular Backups: The most important thing a hospital can do to protect its data is to back it up daily, preferably somewhere remote, and in both “cloud” and hard copy formats. In the face of a ransomware attack, a good backup policy may mean the difference between a minor inconvenience and a total system breakdown.
- Educate Hospital Employees: Raising awareness among employees is a hospital’s first defense against ransomware attacks. Hackers commonly deliver ransomware via malicious links or attachments which, once clicked or opened, may infect an entire system. “Phishing emails,” a more sophisticated tactic in which an attacker attempts to impersonate someone within the organization via email, is also common. Facilities should have continuous quality control measures for email users, training them to identify the signs of suspicious email and to refrain from clicking links or opening attachments from unknown senders. Some hospitals have blocked employees from checking personal email (which may be less secure than corporate versions) on company machines. Others have performed “phishing” tests to see if personnel actually click on or open suspicious items. Both are great ways to determine how vulnerable an organization is to an attack, and initiate important discussions on digital security best practices.
- Develop Disaster Protocol: If an attack happens, having a documented “disaster preparedness” protocol is paramount for uninterrupted patient care. As part of the shift to EHR, physicians have become more dependent on technology; however, they still need a way to practice medicine should these systems fail. Hospitals should keep blank physician ordering forms and pre-printed current order sets on hand, as well as have a planned courier schedule in place for transporting orders, medications, and lab work within the hospital. Pharmacists should be prepared to use a typewriter or write out prescriptions by hand, and over-ride automated dispensing cabinets to access critical medications. Disaster protocols should be reviewed at regular intervals to ensure they continue to enable care continuity in the case of an attack.
While enacting these three steps may take hospitals a long way toward preventing and preparing for a ransomware attack, hackers are constantly evolving and updating their techniques. Hospital executives and their staffs are encouraged to stay abreast of security trends, vet their systems against current threats, and educate employees on potential risks.
Justin Sotomayor, PharmD, serves as Pharmacy Informatics Director at CompleteRx, a leading pharmacy management company. In this role, Justin works with hospital and health executives across the country to upgrade their information systems, while mitigating the rise in security threats.