3 min read

Ransomware’s Soft Spot for HIT Provides Security Lessons

You know, in some ways you have to admire the global cyberattack launched May 12. While those throughout the healthcare ecosystem find true interoperability to still be lacking, here comes WannaCry. This ransomware easily and instantly crosses all industries, crime by crime, in more than 150 countries. No interoperability problems there!

Best of all, WannaCry creators – mindful of so many borders – conveniently deliver their ransom note in at least 27 different languages.

Yes, it’s easy to be complacent in America, where the big lesson learned may be that healthcare systems are vulnerable – over there.  Back here we’re smarter and more secure. Right?

Short answer: nope, and in some ways, we’re more at risk.

Of special concern to payers is a recent change in cybercrime strategy.  The IBM X-Force Threat Intelligence Index, released in March, notes a shift toward hacking of unstructured data, such as business documents.

“While the volume of records compromised last year reached historic highs, we see this shift to unstructured data as a seminal moment,” says Caleb Barlow, vice president of threat intelligence at IBM Security. “Unstructured data is big-game hunting for hackers and we expect to see them monetize it this year in new ways.”

On March 22, the FBI issued a special warning regarding healthcare fraud. Cybercriminals increasingly target medical file transfer protocol servers, to store malicious tools or launch cyberattacks.

The healthcare industry has already taken a beating the last two years, suffering numerous damaging cyberattacks. These attacks are largely thanks to ransomware, the seemingly simplistic method that has wreaked havoc on hospitals, practices, and payers. It compromises millions of pieces of private patient information.

In England, 61 National Health Service organizations were initially disrupted. It’s true that HIPAA compliance helps covered entities and business associates prevent ransomware here, but we have our own problems. A 2016 survey by Healthcare IT News and HIMSS Analytics found that half of all responding hospitals reported ransomware attacks during the year; 13.1 percent reported being hit more than 10 times. Only 18 percent cited no ransomware incidents at all.

By the Numbers: Ransomware in the U.S.

We’ve gathered numbers from sources including the U.S. Department of Health and Human Services, HealthcareIT News, HealthIT Interoperability, NTT Security and a special U.S. intelligence and law enforcement report. They make clear American healthcare is ransomware’s favorite target.

  • Individuals and organizations in the United States are the recipients of 63 percent of all cybersecurity attacks in the world.

  • 22 percent of those are ransomware attacks.

  • More than 4,000 ransomware attacks occur in the United States every day.

  • U.S. ransomware attacks increased 300 percent in 2016.

  • Of all the U.S. cybersecurity attacks, 15 percent of them hone in on healthcare.

  • Half of those healthcare attacks are ransomware attacks.

  • A third of Americans were victims of healthcare data breaches in 2015.

  • 98 percent of the breaches in 2015 resulted from large-scale attacks specifically targeting healthcare.

  • More than 27 million healthcare records were stolen in 2016 across 450 reported data breaches, according to a Protenus healthcare data report.

  • 8 percent of those incidents originated from ransomware, hacking, or malware,

Ransomware’s Impact on the Bottom Line

A study by the Ponemon Institute shows the average cost of a data breach is $402 per record. A breach of 10,000 records would cost an organization, on average, $4,020,000. For payers, clinical repercussions can include processing of fraudulent claims. Then there’s the inestimable loss of client confidence.

One of the ironies of the May 12 attack is that a health informatics warning was issued the day before. There have been many warnings this year and last, along with lists of tips, tools, and contingencies. The Institute for Critical Infrastructure Technology named 2016 “The Year of Ransomware.” In December, Modern Health news predicted worse for 2017.

So far it doesn’t appear that there’s been unauthorized access to NHS patient data, but The New York Times has warned of a second wave of attacks. One should anticipate copycats and upgrades. WannaCry is a variant of a ransomware strain launched in March.

“These criminals have evolved over time and now bypass the need for an individual to click on a link,” says James Trainor, assistant director of the FBI’s Cyber Division. “They do this by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers.”

Says Mary Chaput, CFO of cybersecurity firm Clearwater Compliance, “If we in healthcare don’t start treating this as a war on our physical and financial well-being, we will lose.”

Hence, it’s time to learn our lessons and hone our security strategies.

Want to learn more? The U.S. Department of Health and Human Services offers a fact sheet on HIPAA and ransomware.  Also, a U.S. report on ransomware protection, prepared by the National Security Agency, Department of Homeland Security, FBI, CIA and other agencies, is available for download. It includes government contact information for reporting, mitigation and FBI field offices.