Holding hospitals for ransom; The WannaCry virus and the lack of cybersecurity in hospitals

Briefings on Accreditation and Quality, July 1, 2017

This is an excerpt from a member only article. To read the article in its entirety, please login or subscribe to Briefings on Accreditation and Quality.

Over the course of one weekend in May, more than 300,000 computers in 150 countries were held hostage by a ransomware virus called “WannaCry.” The virus locked down computer systems and forced hospitals, corporations, universities, and individuals to pay $300 apiece in Bitcoin to regain access to their files. One of the most notable victims of WannaCry was the United Kingdom’s National Health Service (NHS). About one-fifth of NHS trusts (which oversee British hospitals) were affected, forcing them to reroute ambulances, postpone surgeries, and cancel appointments.

While American hospitals were mostly unaffected by this particular attack, there has been a worrying jump in successful ransomware attacks in the U.S. Here’s a quick list of 12 that happened in 2016, with many more cases occurring that same year.

Frank Ruelas, MBA, principal of HIPAA College in Casa Grande, Arizona, says robust cybersecurity is a must-have for all hospitals, and that it begins with knowing the problem.

“For me, the lack of knowledge [about cybersecurity] may be the biggest issue,” says Ruelas. “For example, the cybersecurity community often never knows about a threat until organizations are successfully attacked. As a result, cybersecurity experts are often dealing with the aftermath while those writing these malware programs are constantly developing new threats. It goes back to the old model of how it is impossible for policies, often based on information, [to] keep up with technology because technology is often far ahead in not only developing new ways of doing something, but also developing information in the process.”

What is ransomware?

Ransomware is a new twist on the old crime of hostage taking. The virus locks down all of your computer files so you can’t access them, then a screen appears telling you that you have a certain number of days to pay the hacker in untraceable currency. Pay and you get all of your files back. Refuse and your computer remains locked and your files, documents, photos, and videos are lost forever.

While this is bad enough for people wanting to get their family photos back, it reaches a new level when hospitals are affected. Losing access to medical records and computer systems while treating patients can be devastating.

Ruelas notes that, depending on the type of ransomware, a hacker can also download and view copies of the infected system’s records. For a hospital, those records include:

•    Medical records
•    Patient histories
•    Insurance information
•    Credit card numbers
•    Social Security numbers
•    Dates of birth, phone numbers, addresses, etc.

The sheer volume of valuable information is one of the reasons why 88% of ransomware attacks are targeted at hospitals. But there are ways to prevent ransomware hackers from viewing your files, even if they infect your system with a virus.

 “One way to combat this is to have these files encrypted,” says Ruelas. “This way, if they are encrypted, it may be possible to prevent the hacker from viewing the contents of the files. You still may have a breach on your hands even if the files are secured—depending on if the risk assessment determines that the records were compromised—but at least you minimize the risk of the hacker being privy to confidential information.”


This is an excerpt from a member only article. To read the article in its entirety, please login or subscribe to Briefings on Accreditation and Quality.

Most Popular