Information technology has revolutionized how American consumers receive health care. The ability of medical professionals to access accurate information about a patient enables them to act quickly and avoid potentially deadly medical errors. An emergency room doctor can now get real-time information from an ambulance about an incoming patient. A nurse can access records on a tablet to ensure a patient is not being prescribed medications she’s allergic to. A staffer in the reception area can more accurately and efficiently register patients, reducing billing errors.
Unfortunately, the data that powers all of these innovations is inherently vulnerable to misuse. Recent cyberattacks against MedStar Health in the Washington, DC area, Hollywood Presbyterian Medical Center in Los Angeles, and Methodist Hospital in Kentucky all show just how easily access to patient information can be cut off by someone with malicious intent, with potentially deadly results.
In each case, hackers used so-called “ransomware” to encrypt the files that doctors rely on, preventing them from accessing critically important data. The affected networks can only be unlocked when a ransom is paid (often in virtual currencies like Bitcoin) and the hackers provide a digital key to decrypt the files. In the attack on MedStar, hospitals were forced to turn away patients because their files were locked down by the hackers.
Ransomware can shut down an entire system when just one employee clicks on the wrong link or opens an attachment to a seemingly safe-looking email. Although ransomware is not a fraud tactic unique to the healthcare industry, this industry is particularly vulnerable because its software and systems are often not updated as they should be. This vulnerability, combined with the large amounts of sensitive patient data that resides on medical servers, makes the healthcare industry one of the most lucrative targets for cybercriminals.
As businesses demonstrate that they are willing to pay ransoms and hackers remain undeterred by law enforcement, these kinds of attacks are likely to grow in number and cost. The FBI reports that U.S. ransomware victims have paid more than $209 million in the first quarter of 2016—up from about $25 million in 2015. The scope of the problem is likely even larger than what is publicly known, say healthcare and government officials, as many businesses may just quietly pay a ransom in order to avoid bad publicity.
Hoping for the best—or worse, paying ransoms—is not an effective way to combat ransomware attacks. Healthcare providers need a comprehensive strategy for dealing with ransomware and other cyberthreats.
The first step in any cybersecurity strategy is inculcating good cyber hygiene into workforce training. Everyone on staff, from surgeons to system administrators, needs to be trained to recognize suspicious websites, links, and emails that may deliver ransomware infections. Hospitals should also invest in IT staff that can regularly back up data, scan for vulnerabilities, and install patches in a timely manner. Unfortunately, given the many demands on healthcare providers’ budgets, investments in data security seem to fall down the priority list too often.
In the end, it may require Congress stepping in to ensure that our nation’s health care sector is better protected from ransomware and other potentially crippling cyberattacks. The Senate took a good first step last month when it convened a hearing to examine the ransomware threat and the Federal Trade Commission is hosting a seminar on ransomware in September as part of its Fall Technology Series. But, more can and should be done. For example, the National Consumers League (NCL) has called on Congress to pass legislation creating a comprehensive national data security standard, strengthen the Federal Trade Commission’s enforcement ability, and promote a robust market for cyber insurance.
Consumers cannot afford to have their access to critical healthcare services literally held for ransom by cybercriminals. It’s time for Congress and the healthcare industry to make the investment of time, energy, and money to ensure that our country’s healthcare system receives the highest level of data security protection possible.
John Breyault, Vice President of Public Policy, Telecommunications and Fraud at the National Consumers League, heads the group’s #DataInsecurity Project, Fraud.org and Alliance Against Fraud campaigns.