Getting hit with ransomware is a nightmare, akin to a natural disaster like a hurricane. A healthcare provider is unable to access its systems putting patients’ lives at risk and barring the door to new patients. Chaos reigns as management struggles to recover.
Over the weekend an Alabama hospital group, DCH Hospital System, decided to pay the ransom demanded by hackers who had brought its system down on October 1. The decision would have been a difficult one and not made lightly or in a hurry. As of the writing of this blog, the amount they paid is not publicly known.
Ransomware is growing. While the number of attacks has not increased, experts say they are becoming more aggressive and more costly. A good summary of recent ransomware incidents in healthcare can be found here. The outcomes range from days of disrupted services, to paying the ransom to get back on track, to going out of business entirely.
Healthcare is particularly vulnerable because of the sensitive and private nature of patient data. And lives are at stake.
Ransomware Disruption Causes Hospitals to Turn Away Patients
Ten hospitals, three in Alabama and seven in Australia, were victims of ransomware attacks last week that hijacked computer systems and stopped them from admitting new patients. Between October 1 and October 6, DCH Hospital System in Alabama struggled to stay open – they continued with critical medical services and pre-scheduled surgeries, but asked non-emergency patients without appointments to go elsewhere. They were unable to call patients who had appointments because hackers had locked away the records – inaccessible to the hospital. The disruption was overwhelming.
When ransomware hits, the first call is to IT security staff. Outside experts are usually needed to analyze what happened and the extent of the damage. Complicating things in the healthcare setting, ransomware is presumed to be a breach under HIPAA, so a breach investigation is required to evaluate whether there is a low probability of compromise of patient data. If there is a low probability, that needs to be documented, and there is no need to notify the U.S. Department of Health and Human Services (HHS) or the affected patients. It can be difficult to know whether the probability is high or low, but the burden is on the provider to demonstrate a low probability – if they cannot, it is considered a breach, triggering requirements of the Breach Notification Rule.
Ransomware Attacks are Expensive
Recovery from a cyber attack like ransomware usually requires lots of outside help. The IT forensics analysis begins almost immediately. This is a highly specialized skill that typically is not part of the year round full time staff of a healthcare provider.
The time required to recover varies, but it usually demands attention 24/7, at least in the early days and weeks. Moving quickly is essential – to evaluate the extent of the damage, to limit the damage as much as possible, and to communicate the situation internally to staff and to the community.
Ransomware hits all kinds of organizations in all industries: private and public. Baltimore recently spent $18 million to recover from a ransomware attack, while Riviera Beach, Florida decided instead to pay the $600,000 ransom demand.
Ransomware Advice from the FBI
The FBI recently reissued guidance about managing and recovering from ransomware. While they do not advocate paying ransom demands, they recognize that organizations who face an inability to function need to evaluate all options to protect their patients, customers and employees.
The problem with paying the ransom is that payment emboldens criminals and encourages more attacks. There is also no guarantee that the data (or all of it) will be returned, or that it hasn’t been further compromised through sale on the black market.
Always notify the FBI and local law enforcement authorities. This helps them investigate and hold criminals accountable.
Prevent Ransomware with HIPAA Compliance
The best way to lower costs and damage from cyber thieves is through prevention. In healthcare, the blueprint for defeating cybercrime is a strong HIPAA compliance program, starting with the annual required Risk Analysis – Risk Management.
A good Risk Management plan includes robust data backups – with at least one stored off-site, staff awareness and training, access controls, and software updates and patches. Strong anti-Malware and anti-virus programs are essential. They should themselves be up-to-date and used by everyone in the organization. These are key and core issues, but a comprehensive set of suggestions and guidance is found in The HIPAA E-Tool®, with answers to every question about HIPAA at your fingertips.