Imagine walking into a hospital to be greeted with the information that there is no access to email, some patient data is inaccessible, and that diagnostic imaging, labs and the pharmacy are all offline.
It’s a scenario that has been played out a number of times already this year in US hospitals that have been subject to a ransomware attack; in which hackers encrypt the data in IT systems and demand cash (or, more often, the digital currency Bitcoin) to release them.
According to the American Hospital Association, the attacks can last days or even a week and have forced clinicians to revert to pen and paper, fax and telephone, and to transfer patients to other providers.
Hollywood Presbyterian pays up
The MedStar Health system in Baltimore was hit in March. The Baltimore Star reported: “The ransom note appeared when users in the MedStar system tried to open files on their computers.
The hackers directed users to an online "wallet" to pay the ransom. Once it was paid, they said, they would deliver the keys to the data on the Dark Web, a hidden part of the Internet where they can better cover their tracks.”
While the disruption lasted several days, patient care was uninterrupted and the IT team got the system back online. No ransom was paid.
However, MedStar wasn’t alone. That same month, Kentucky Methodist Hospital, Chino Valley Medical Center, and Desert Valley Hospital, California, were all hit by ransomware attacks.
Again, they all reported that they had recovered their systems; but not until after there had been considerable disruption. None paid the ransom.
The demands made are not small. In March, the AHA highlighted a ransom demand of 9,000 in Bitcoin; equivalent to somewhere between $3.4 million and $3.6 million.
This warning came hot on the heels of a very public payout of $17,000 by Hollywood Presbyterian Hospital in Los Angeles.
“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom,” Allen Stefanek, president and chief executive of Hollywood Presbyterian, said in a letter dated February 2016. “In the best interest of restoring normal operations, we did this.”
Not only could it happen here, it has
The US Health and Human Services Department says that cyber attacks on healthcare facilities are getting more frequent – and more ambitious. And, as the saying goes, when America sneezes, we are likely to catch a cold.
There’s evidence that it’s already happening. The UK public sector is not immune from ransomware attack. In February, Lincolnshire County Council revealed it had been hit.
No data was lost, but some files were frozen during the attack – although damage was limited by a speedy response to shut down the network. The encrypted files were restored from back-ups.
Up in Scotland, Freedom of Information Act requests to health boards have uncovered details of a ransomware attack in Orkney in August 2016 and eight attacks in NHS Tayside since 2014 – five of them on GP surgeries and the rest on secondary care.
Again, no ransoms were paid, but staff were warned about the risks of opening attachments to emails after files were restored from back-ups.
Back-up. Don’t pay up
In some ways, this response is text book. The Symantec 2015 Internet Security Threat Report says the most common sources of ransomware are malicious email attachments that pretend to be some sort of invoice, bill or image.
A user opens the attachment, it downloads and installs the ransomware on the computer or network. Other sources are advertisements or web pages where the ransomware is lying in wait for an unwary click.
So training clinicians, administrators and other staff to be very wary about opening attachments is a must-do. Once inside, the only defence is rapid detection of the threat, followed by shutting down the network quickly, and restoring from back-ups.
The advice is never to pay up. There are no guarantees that the data will be restored; and every likelihood that giving in to demands will lead to more attacks.
The AHA warns that ransomware cannot usually be hacked to override the malware and says that backing up data is the only reasonable course of action.
But there is a catch. David Finn is health IT officer for Symantec Corporation and a member of the Healthcare Industry Cybersecurity Taskforce, set up by the US government’s Health and Human Services Department and which met for the first time in April.
He explains: “The back-ups have to be isolated. We have had cases where the first thing sophisticated ransomware has done is look for the back-up and erased or encrypted it. By the time you know there is a ransomware attack, your protection files are gone and you have no back-up.”
Finn says that, too often, cybersecurity is not high enough on a hospital’s agenda. Regular maintenance can take a back seat, patching can get neglected, and updates get deferred. Medical devices – now highlighted as a major security risk – get precious little attention.
Finn adds: “We have recently seen figures showing that 78% of websites globally are not patched properly. In healthcare we talk about giving patients access to their own information; and a lot of that is done by websites.”
The cybersecurity threat is made all the more dangerous by the disconnect between the chief executive, the chief finance officer and the IT security team, argues Finn.
“The underlying issue is that healthcare does not do a good job at security. When healthcare was primarily done verbally, or in writing, then data security was called patient confidentiality and it was an ethical matter.
“But as we become more digital, we have not kept up so we have an old paradigm with a new way of working.”
So, today, IT and cybersecurity can still be seen as adjuncts to the ‘real’ business of a healthcare organisation. “What ransomware has shown us is that IT and information is the business – and failing to have an organisational focus on protecting records risks disaster,” says Finn.
“Hollywood Presbyterian ultimately did not pay to get the data back or to unlock the system. They paid because they could not otherwise do the business of caring for patients.”
The AHA says managing the risk of cybersecurity threats needs to be part of everyday business – and not sit in an IT silo.
“Hospitals can prepare and manage such risks by viewing cybersecurity not as a novel issue but rather by making it part of the hospital’s existing governance, risk management and business continuity framework,” it advises.
“Hospitals also will want to ensure that the approach they adopted remains flexible and resilient to address threats that are likely to be constantly evolving and multi-pronged.”
Business for the board
This notion that cybersecurity is now mission critical and must be a board agenda item is starting to sink in here, too. In April, Dame Fiona Caldicott, whose third report on data sharing is expected to be published in June, highlighted this at e-Health Week in Olympia.
She said: "If you think about the responsibility of the trust board, they would not dream of not looking at the financial situation or the quality standards: but they have not necessarily looked at the standards being achieved in terms of data security."
Dame Fiona is also chair of Oxford University Hospitals and told the conference: "We had a report done not so long ago about where we are with cyber security… It has to be a board level item and may require investment."
Both the US and the UK now have nascent centralised efforts to address cybersecurity – the US in the form of its taskforce and in the UK CareCERT.
Meanwhile the EU is about to sign a new directive on network and information security that, it hopes, will increase cross border co-operation.
Threats to cybersecurity are not going away. Let’s just hope it doesn’t take a big payout on a ransomware attack by a UK hospital for the NHS to sit up and take notice.
Daloni Carlisle looked at the US healthcare threat landscape and how the UK is being influenced by it in Digital Health's recent special report on cyber security, which is now available in our dedicated cyber security hub.