Taking Steps to Prevent the Rise of Ransomware Attacks in Healthcare

The COVID-19 public health emergency required healthcare organizations to reimagine how quality care could be delivered. As the use of information technology and information systems in healthcare has increased over the past few years, many organizations had to quickly implement technology-based solutions to care for their patients during this public health emergency.

In the United States, ransomware attacks have been on the rise over the past year across the healthcare sector. According to an article from Health IT Security, ransomware attacks seen across the globe so far this year have increased by 102%, when compared to the same period last year. As we continue with the new normal of using technology and information systems in our day-to-day work environments, we can expect to see a continued rise of ransomware attacks. 

Why is information security important?

During the past 10 years, the healthcare industry has significantly adopted and implemented information technology and systems into their daily operations and clinical workflows. This change has given healthcare providers the ability to make informed decisions on a patient’s care in a timely manner, and it also allows for collaboration across the patient care team. 

These technology systems contain protected personal information that attackers are able to use for personal gain through the use of ransomware. According to McAfee, “once files are encrypted, ransomware prompts the user for a ransom to be paid within 24 to 48 hours to decrypt the files, or they will be lost forever. If a data backup is unavailable or those backups were themselves encrypted, the victim is faced with paying the ransom to recover personal files.” In many instances, healthcare organizations have paid the ransom to regain access to their systems. However, there have been events where organizations are able to use their backups to get their systems back online and operational.

When thinking about the amount of personal information collected and stored in EMRs and patient portals, we have to ask if the appropriate information security measures are in place for these systems. The National Institute of Standards and Technology, defines information security as the “means of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability.” 

According to the Healthcare Industry Cybersecurity Taskforce, “the Health Insurance Portability and Accountability Act (HIPAA) Security Rule required providers to implement safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI); however, many providers lacked the expertise and/or resources to implement security and privacy measures to properly secure these portals.”

Considering organizations have lacked resources to ensure security and privacy measures of their systems, making them vulnerable and susceptible to cyberattacks via ransomware, more support is needed from leadership to focus on having a secure infrastructure.

Watch the HIMSS TV deep dive into ransomware attacks in healthcare and get tips and best practices for safeguarding your organization.

What steps can be taken to prevent being a victim?

The cost of U.S. healthcare ransomware attacks totaled to be an estimated $21 Billion dollars. The amounts varied from several thousands to several million per incident, however, many organizations do not publicly disclose the ransom amounts. All healthcare organizations do not have to pay the ransom, as they have implemented security measures that will allow them to effectively recover from the attackers and regain control of their systems. 

There are a few steps that organizations can take to prevent being a victim of a ransomware attack by:

1. Backing up network/systems on a regular basis
2. Providing adequate security awareness training to all employees on information security
3. Ensuring security software is current on systems
4. Performing regular risk assessments
5. Validating firewalls that protect the hospital network

Taking into consideration that all healthcare organizations are different in size, there is no one plan that fits all that can prevent them from being victims of ransomware attackers. Cybercriminals have successfully targeted small and large healthcare organizations. It is important for IT leadership to work within their organizations to implement an action plan that will be effective across the entire organization. 

Why does leadership play a part in ensuring the success of a secure organization?

In the most recent years, the role of healthcare leadership has started to evolve. With the implementation of information technology and systems, there have been an addition of leadership level roles created to take on the tasks associated with those specific areas.

As it relates to the IT department within a healthcare organization, the responsibility of ensuring the security of the information systems can fall under a variety of roles that include, but not limited to the: chief information officer, chief information security officer, or chief technology officer. As leadership for the IT department, the individuals in these roles are able to talk with their colleagues and other leadership about the importance of having the appropriate infrastructure in place to ensure security of their systems. In the review of literature online, an article from Healthcare IT News provides a tip sheet to help information security leadership talk to their boards about the organizational security needs and how to be successful in those discussions. 

Leadership has to be informed and aware of the trends emerging within IT as it relates to maintaining a secure organization. As some healthcare organizations have experienced ransomware attacks and had to pay the ransom, it is best to take the approach of being proactive in eliminating the potential problems before they arise. No organization is safe from being the victim of a ransomware attacker, the question is not if, but when. 

What’s next?

Healthcare organizations must start to prioritize investments within the IT department. The prioritization can include having adequate trained personnel as it relates to security and privacy, as well as having a well-established infrastructure. Healthcare leadership has to take into account the need to allocate more funding for IT systems and innovation. Without making these adjustments, there will be major consequences that healthcare will face in the future. We can count on seeing an increase of ransomware attacks happening within the healthcare industry in years to come. The only change we can expect, is that attackers will get smarter about how they attack, and increase the amount of the ransom. 

The views and opinions expressed in this content or by commenters are those of the author and do not necessarily reflect the official policy or position of HIMSS or its affiliates.