An ambulance raced to the nearest hospital in Duesseldorf Germany with a woman who needed urgent medical care. But the ambulance was diverted to a different hospital 18 miles away because Duesseldorf University Hospital was managing a ransomware attack and was unable to take patients. The 78-year-old patient, who was suffering an aortic aneurism, died after being rerouted.
Usually, ransomware is a temporary but expensive interruption. It can cause a loss of data and downtime as an organization struggles to get back in business. Ransomware can be expensive, because of the high costs of investigation and recovery. Patient care is bound to suffer too, with records out of reach and staff who are distracted and working on data recovery.
Even though hospitals are often hit with ransomware, this is first death believed (and widely reported) to be linked to ransomware, even though a study last year found a rise in fatalities indirectly connected to ransomware because patient care suffered in the weeks and months after an attack. Even though the cause of death in the Duesseldorf case was indirect, the cyberattack and her time of death are closely linked and German authorities are investigating. They may bring manslaughter charges against the hackers if the attack caused the death.
Germany’s Federal Agency for Security in Information Technology has said that the attackers got in to the hospital’s system by using a hole in Citrix software that was patched last January. But the hospital had failed to update its software, so the cybercriminals were able to break in.
Earlier this month we wrote about how ransomware is skyrocketing globally, with healthcare as a prime target. The key is prevention, because it’s so much less expensive than damage control and recovery after the fact.
Key steps to ransomware prevention for healthcare.
- HIPAA Risk Analysis – Risk Management helps uncover vulnerabilities and reminds organizations about how to prevent loss of protected health information 365 days a year.
- Patch, update, patch, update. The Duesseldorf tragedy would likely have been prevented if the recommended update from Citrix had been made.
- Keep anti-virus and anti-malware solutions up to date.
- Back up data remotely, in a secure manner unconnected to the main system. This defeats a ransomware attack because there is no need to pay a ransom to get back data since the data wasn’t lost.
- Train staff in cybersecurity. Most cybercriminal intrusions still come through email. When staff are trained to recognize traps they can defeat the social engineering tricks used to break in.
- Create a contingency plan.
The FBI strongly recommends NOT paying a ransom, because there is no guarantee that cybercriminals will give the data back. The hackers may also keep it, sell it later on the black market, or publish it. And when ransomware victims pay the ransom, it emboldens the hackers to repeat the crime, to hit others, demand more money, or even to come back to the original victim again and demand money again for a second attack.
If you need a refresher course, or want help getting started to protect your patients and their data, call us at The HIPAA E-Tool®.
Photo by SİNAN ÖNDER from Pexels