Digital Hostage Taking: Ransomware’s Impact on the Healthcare Industry

Recently, Hollywood Presbyterian Medical Center paid attackers for the decryption key that held the hospital’s systems and data hostage. While this style of attack is not new, increased attacks have businesses on edge. Ransomware is malicious software that blocks access to a network or system until a ransom is paid. In many cases, the data is encrypted and there is no economical way to retrieve the data until the decryption key is given to the victim. Usually this only occurs when a ransom is paid. In the case of the Hollywood Presbyterian, they decided to pay the ransom of about 40 bitcoins, worth approximately $17,000.

Security consultants who have assessed healthcare practices have likely interviewed medical staff and got a strong sense (if not directly told) that their work was diverting attention away from patient care. This mentality is one of the reasons why the healthcare industry is facing challenges when it comes to information security. The culture of providing healthcare over all else, the justification for neglecting information security, has finally hit an impasse – patient health and safety was jeopardized by a cybersecurity incident. The attitude toward information security – the time it takes, the costs – has to change. It’s unfortunate, but it seems to have taken an incident like the one seen at Hollywood Presbyterian to highlight how information security actually aligns with the healthcare industries health-first ideals.

A New Precedence

The precedent has been set with this recent attack and the people behind these ransomware campaigns, given Hollywood Presbyterian paid the ransom, now know that attacking healthcare organizations is lucrative. The weeks of incident response required to strong-arm a computing environment away from attackers, recover operations, and the economic impact of such an endeavor, it’s no surprise that Hollywood Presbyterian paid. The incident exposed industry-wide neglect toward information security and put a target on the backs of medical practices throughout the entire industry.

Blindly Accepting the Risk is Unacceptable

Is $17,000 is a bargain compared to building an information security program and capability?  Remember that these attackers will get bolder with demands, and for an organization to accept risk based on that price is misguided. It should be expected that the demands will get higher as we see more of these incidents, especially if they begin to target healthcare specifically. The Hollywood Presbyterian incident should be seen for what it really was, a digital hostage situation. Preventing medical care is not much different than holding a gun to someone’s head. Once the magnitude of this comparison is realized, there will surely be more risk for the attackers by way of law enforcement, and the demands for reward will reflect that risk.

It’s time the healthcare industry took information security as seriously as something like infection control. Poor information security, just like poor hand hygiene, for instance, put’s patients at risk. Patients expect sterile, safe environments to receive healthcare services, and in this digital age, that expectation should extend to the confidentiality, availability, and integrity of the systems, devices, and information managed by healthcare service providers.

5 Actions Necessary to Produce an Effective Information Security Program

If your organization is new to information security, or you have only a partially implemented information security capability, consider taking the following steps:

1: Identify Your Sensitive Data

Determine where your most sensitive and critical data is stored, whether that be in your data center, a server closet, a third-party service provider, or in the cloud. It is difficult to take a strategic approach to information security without knowing what you are protecting. Continuously maintain this awareness.

2: Inventory Your Critical Systems

Evaluate what systems and system components are storing, processing and transmitting your sensitive data, or are providing critical services to your operations. Understand the data flow, and know which systems present the highest risk to your operations as it relates to the confidentiality, availability, and integrity of those systems and the data they process.

3: Assess Your Risks

Assess your environment for risk. Anything from electronic records, physical media, and the availability of critical systems, services, or devices should be considered. Consider an independent assessment by a respected third party firm if internal resources and expertise are unavailable.

4: Implement Security Controls

Select, apply and manage security controls programmatically based on risk. The PC that cycle’s employee event information in the lobby is not as important as your electronic health record repository where careful consideration of security controls should be taken.

5: Monitor Effectiveness

Periodically evaluate the effectiveness of your risk-based information security strategy, the security controls applied, and the proper implementation of security technologies proactively, and apply corrective actions, remediation, and lessons learned to ensure preparedness for the evolving threat landscape.

How CyberSheath Can Help?

In order to implement an effective information security program, a picture of your network must first be obtained.  Whatever your security needs are, CyberSheath can assist you along the way.  From conducting an information security assessment, to building a security program, let us help you secure your data.