How to guard your EHR data against a ransomware attack

In recent years, EHR security breaches have followed a predictable yet unfortunate pattern. The scenario goes as follows; hackers exploit a weakness in a network allowing them to transfer personal healthcare information to their own storage devices, whereby it is peddled on the black market for profit. The smash-and-grab technique used by hackers has made way for a new technique taken from the playbook used by kidnappers and pirates.

Over the last few years, healthcare has witnessed ransomware attacks in which networks and computer systems are frozen by malicious software until a ransom is paid to the hackers. Given this new threat, what steps can practices take to mitigate the threat posed by ransomware attacks? Furthermore, what can be done if hackers successfully hold a practice's network and computer systems for ransom?

Responding to an attack

If a ransomware attack does occur, there are two courses of action: pay the ransom or find a way to disable the ransomware. Either scenario presents a less-than-ideal set of choices. Providers often choose to pay the ransom as a damage control measure that pales in comparison to the potential institutional costs of a frozen network. A Southern California hospital elected to do just that, paying a $17,000 ransom in Bitcoin to hackers who infiltrated and disabled its network. Paying the ransom does little more than allow the institution to “live to fight another day” as the hacker extortionists could certainly come back again emboldened by their previous payday.

Recommended reading: find software which suits your practice’s EHR security needs with our completely up-to-date EHR Vendor Guide

Paying a ransom to hackers is not the only logical choice, providers have found. Most recently, Methodist Hospital in Henderson, Kentucky was ransomed for the modest sum of four Bitcoins (approximately $1,600). In response to the attack, the hospital chose to shut down its entire computer system, effectively going into ‘disaster mode’ and restarting the entire system in piecemeal fashion to isolate the malicious software. Similarly, two California-based hospitals operated by Prime Healthcare Management, Inc. were ransomed, whereby the hospital’s IT staff shut down its systems to contain the malware.

Preventing an attack

Ransomware attacks, like other hacks are not an inevitability. Providers can avoid attacks with some basic steps. According to security blog KrebsonSecurity, ransomware infections are largely the result of exploiting “outdated Web browsers and/or browser plugins like Java and Adobe Flash and Reader.” Using these vectors, ransomware exploits browser flaws through malicious code embedded into a hacked site, launching when these vulnerabilities are found. Other cases involve spam email. In the case of the Kentucky hospital, the ransomware entered through spam email, disguised as a legitimate message containing an attached (booby-trapped) file.

In light of these threats, the most effective way to avoid ransomware attacks rests in EHR security protocols that ensure that users are using only the most up-to-date-and protected software while online and training staff to reduce the risk of anyone unwittingly inviting ransomware onto their network. Based on how these incidents occurred a combination of security protocols and staff training can reduce the ransomware risk significantly.

A recent article in Wired supports this point. According to Stu Sjouwerman, CEO of the security firm KnowBe4, “Hospitals continue to be prime targets for ransomware hackers as most “have not trained their employees on security awareness … and hospitals don’t focus on cybersecurity in general,”. Instead, as the article points out, “their primary concern is HIPAA compliance, ensuring that employees meet the federal requirements for protecting patient privacy.” As such, EHR providers should consider privacy expanding data security training to include topics on safe online practices to reduce the risk of a hack.

Ransomware attacks represent the next phase of security threat; however, providers can meet this challenge with a plan involving how to respond to an attack and preventative efforts to mitigate risk.