Lab tests and diagnostics, medical staff shifts, surgery schedule, patient history – all this data is now hosted, for the most part, in a digital environment. The era of endless file cabinets has come to an end. Which would explain why modern hospitals and laboratories have become one of the most enticing targets for cybercriminals everywhere. Just imagine what someone could do if he or she had access to all that information.

Unfortunately, it is in the nature of man to focus on what is happening in the now more than on what could happen in a not so certain future. It took about a dozen ransomware infections spreading all around major hospitals the US this year only to finally raise awareness on just how devastating a cyber-attack can be for operators of essential services. Starting with the Hollywood Presbyterian Hospital-jacking last February and ending with the most recent hospital horror show, the ransomware epidemic has reached a whole new level.

On August 27th, the Appalachian Regional Healthcare system operating 11 hospitals in West Virginia and Kentucky discovered its information system had fallen victim to a ransomware attack. The ongoing incident left its employees unable to access any of the electronic patient records, forcing them to perform their usual tasks without connecting to the hospitals’ computerized systems. Talk about old-school.

Now, we’ve already covered what a ransomware is in some of our previous articles, the most recent of which you can read here. That being said, we won’t so much focus on defining this type of malware, as we will be directing our attention more towards the nature of it. As a malicious undercover software whose aim is to install itself on your computer, encrypting information in order to block access to user files, ransomware has been on the market ever since 2005 and will continue to exist because of thing only: human weakness. Yes, indeed. As long as the Earth population will be able to click on links, statistically speaking, ransomware will just keep on popping.

More so, according to a study conducted on 3009 internet users and organizations from the US, France, Germany, Denmark, the UK and Romania, it turned out 50% of victims are willing to pay up to $500 to recover encrypted data. How can cybercriminals see this as anything else but a very successful business model? The Hollywood Presbyterian paid $17,000 regain control over its information system, while Kansas Heart paid an initial ransom, only to be attacked again with the same demand. Fool me once, shame on you. Fool me twice, shame on me. Isn’t that what they say?

Now, hospitals are the perfect mark when it comes to this kind of extortion, seeing as they provide critical care and need to rely on up-to-date information. If access is delayed even, all sort of complications may arise. In the medical world, precision and reactivity save lives. Can’t say the same for when you find out a patient is allergic to a certain something when it’s already too late. Blocking access to sensitive data and threatening to delete it is one way to completely freak out the medical intern on his/her first day.

Which is why we dare say that ransomware attacks haven’t necessarily become more sophisticated, but rather the collective fear of ransomware has kept on growing. The more often it happened, the less people seemed to understand it. In 2015, ransomware reported incidents quadrupled, averaging nearly 4,000 attacks per day. As a response to this, the US federal government issued new guidance via the Healthcare Insurance Portability and Accountability Act (HIPAA). It provides information on what ransomware is, how attacks work, how to spot it, how to quell damage, and of course how to protect data with regular backups.

But, while instructing hospital staff on the matter and helping them build an even more solid information system sounds pretty good, there is no such thing as a 100% immunity against ransomware. That doesn’t mean, however, that we cannot try to be good patients and defy the odds.

It is not a system vulnerability that we must fight in this case, but a human one.

(About the author: Cristina Ion is community manager at ITrust SAS. This post originally appeared on her blog, which can be viewed here)

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access