You may not know this, but ransomware isn’t new.  According to one blog, the first-ever ransomware was created in 1989 using infected diskettes (remember “floppy discs?”) disguised as an educational reference and mailed to attendees at a World Health Organization AIDS conference.  It became known as the AIDS Trojan, slipping past highly-educated, yet unknowing scientists to exploit security vulnerabilities with their computer systems. Since then, the evolution of ransomware continued with misleading applications, fake anti-virus protection, and social engineering.  With fake anti-virus security, the software would scan personal computers and inevitably “detect” computer threats and subsequently ask users to pay a fee to fix the fake problems they detected.  In earlier social engineering techniques, ransomware was developed to falsely represent law enforcement “catching” a user in the act of downloading pirated software, music, or images and requiring the payment of a “fine” to prevent further enforcement actions or jail time.  More recently, ransomware has gained significant media attention with two dominant types: locker and crypto ransomware. Infection with locker ransomware causes significant distress to the victim, effectively locking out users from their own computers.  The other type, crypto ransomware, has also risen to notoriety by preventing access to files or data commonly through the use of encryption.  Regardless of the ransomware used, one thing is for sure: cyberattacks are on the rise and the target user types are expanding from single users to whole school districts, local law enforcement, major retailers, and hospitals/health systems.

In our industry, we can’t help but be concerned with this progression.  Why have health care providers become the latest target of ransomware?  It could be that hospital computers are more vulnerable to the attacks or, that crippling a hospital’s information system is more likely to result in a quickly paid ransom.  For example, one headline grabber was Hollywood Medical Center that paid $17,000 to get its data back after being unable to use its EHR for 10 days. Another possibility to consider is the ever-changing approaches the cybercriminals take.  In July, attackers may have accessed the healthcare, payment and health plan information of up to 3.7 million individuals at Banner Health by exploiting vulnerability in their food service system.  Many providers, under advice of security professionals and legal counsel, do not share the details of what lead to the breach, as it’s important not to educate the cybercriminal on vulnerabilities available to them for exploitation on a broader scale.  However, with so many health care providers making news headlines about ransomware attacks bringing health care operations to a near halt, the threat of a cyberattack on your hospital is should not be dismissed.

To help your HIPAA privacy team, the Office of Civil Rights has developed a Fact Sheet on Ransomware and HIPAA.  The guidance provides an overview of ransomware as well as reiterating HIPAA’s requirement to implement a security management process.  Importantly, the guidance provides explanations as to how a cyber threat could have been thwarted, or how its effects could have been mitigated had the security standards and implementation specifications been in place and functioning.  Consider using this document as a point of reference at your next committee meeting and ask pertinent questions such as:

Is our firmware up to date and able to protect from malicious attacks?
When is the last time we tested restoration of our backups?
What steps should our department’s incident response plan contain?
Is our workforce educated and up-to-date on the latest threats they may encounter?

Questions such as these are great conversation starters when it comes to talking about your hospital’s or provider’s security risk.