Data security in
hospitals is a fundamental part of patient privacy, and Health Insurance and
Privacy Protection Act (HIPPA) prescribes protection against unauthorized
release of personal health records. But instead of stealing patient information,
the new cyber
threat locks hospital computers and prevents
the providers from accessing their data until they pay a ransom.
Ransomware is a cyber
threat that has been around since 2005. This type of malware locks the victim’s
keyboard and screen, until ransom is paid. In recent years, both the malware
and the payment methods have upgraded. After hackers developed ransom
cryptware, the files and network of the target
computer can be encrypted to be accessible only with a key that the cryptware
generates. Hackers also switched to bitcoin, which is an anonymous payment mode that is quick and easy
for attackers to receive ransom payments. In
2014, the FBI estimated that Ransomware
affected over 230,000 computers and resulted in more than $27 million dollars
in payments to hackers in just a two-month span. This cyber security crisis has
prompted the US Department of Homeland
Security and the Canadian Cyber Incident Response Centre to issue a joint
alert, cautioning that, “[i]nfections can be devastating to an
individual or organization, and recovery can be a difficult process that may
require the services of a reputable data recovery specialist.” The complexity
of the code and the time it takes to resolve the threat have forced numerous
victims, like the South
Carolina School District and
local police
departments in several
states, to cave to the hackers’ ransoms. Even a high ranking FBI
official advised victims to consider paying: “The Ransomware is that good. . . . To be honest, we often
advise people just to pay the ransom.”
Hospitals
and other healthcare facilities are among the victims of the newest wave in Ransomware
attacks. Hospitals are specifically susceptible to
these types of attacks due to the sensitive nature of patient data.
Prescription history, treatment orders, personal preferences and even advance
directives are just some examples of records that providers need to be readily accessible
to provide effective care to their patients. It is this urgency of access that
makes hospitals the perfect victims.
The
latest two Hospital Ransomware attacks reported were Hollywood
Presbyterian Hospital in Los Angeles and MedStar Health, a network of 10 Maryland and D.C. hospitals. The
attackers demanded similar amounts from each hospital, reportedly 40 and 45 bitcoins
worth approximately $17,500, and $19,000 respectfully. With computer systems
shut down, the hospital staff had to revert to hand written procedures and
instructions that had to be faxed or delivered in person. Patient safety issues
and treatment delays were reported at both health centers since physicians and
nurses were unable to utilize all of the safeguards that electronic patient
records provide. However, the two
similar attacks were handled differently.
After a week of trying to
fix the problem with the FBI’s technical help, Hollywood Presbyterian decided
to pay the ransom. The hospital’s CEO Allen
Stepanek explained, "The quickest and most efficient way to restore our
systems and administrative functions was to pay the ransom and obtain the
decryption key." The decision to pay
was consistent with previous FBI advice, and once the funds were transferred,
the hospitals’ system came back online.
.
Learning from these experiences,
hospitals and other healthcare facilities have to prepare for these types of
cyber security breaches. It is still unclear what implications these attacks
will have on providers’ liability under HIPPA, as well as the FTC’s enforcement
of data security breaches. What is clear is that Ransomware attacks are a
profitable tool in the hands of hackers, unfazed by the risk of harm to the
health and life of patients. Health systems will certainly have to step up
their game in cyber security awareness, and prepare for potential attacks by
creating back-ups safe from malware penetration.
Nesko Radovic is pursuing
his law degree at DePaul University College of Law in Chicago. Mr. Radovic
obtained his B.S. in Business Administration from Strayer University in
Washington, DC. He is an active member of the Mary and Michael Jaharis Health
Law Institute, a staff writer for the Institute’s online publication,
E-Pulse, and the DePaul Journal of Health Care Law. Mr. Radovic hopes to
focus his career in health care-related finance, strategy and compliance
issues, after graduating in December of 2017.