everythingpossible - Fotolia
A new cybersecurity scourge is plaguing health IT.
Of course, the traditional cybersecurity specter is still hovering: hacker-triggered health data breaches that have terrorized healthcare organizations since electronic health records proliferated in the industry in the 2000s. But the health IT counter-hacker corps has made big strides in combatting that adversary. And, besides, breaches don't usually hurt anyone directly.
Ransomware disturbs patient care
Not so with healthcare ransomware attacks. Patients' physiological health is at stake here -- even if patients are only collateral damage in cybercriminals' blackmail campaigns and there's no evidence of any concerted attack on a specific person. Apparently, no one has counted just how many patients had surgeries canceled or postponed after the WannaCry ransomware strikes took down at least 16 hospitals in the British public healthcare system in May 2017. One hospital CEO acknowledged that 10 operations were canceled at two sites.
It's also unclear exactly how many patients at the upscale Hollywood Presbyterian Medical Center in Los Angeles may have been denied timely treatment because ransomware cybercriminals froze the hospital's computer system in February 2016. Nor is it apparent how many patients were inconvenienced at Hancock Health in Indiana after it was hit with ransomware just two months ago. The hospital paid $50,000 in bitcoin ransom to unlock its system -- not the best practice, to put it mildly, according to the FBI.
Unwelcome surgery, workflow changes
The latest in the string of healthcare ransomware attacks on hospitals came just after the authoritative ECRI Institute put ransomware and other cybersecurity threats at the top of its annual health technology hazards list for 2018.
Malware exploits, including healthcare ransomware attacks, can make health IT systems unusable, block access to patient data and records, and disrupt the functioning of networked medical devices, according to ECRI. They can also disable third-party services by disrupting the supply chain for drugs and medical supplies.
In turn, these cyberattacks can lead to canceled surgeries and altered workflows such as reverting to paper records. And they can expose protected health information (PHI) and close emergency rooms and other departments, ECRI said.
"We believe there is the potential for this to become a more prevalent problem," said Juuso Leinonen, senior project engineer in the nonprofit patient safety and care organization's health devices group. "ECRI felt that the events that took place last year in the United States and abroad really proved ransomware's ability to disrupt healthcare delivery and lead to delays in patient care and directly [affect] patient safety."
Matt Fisherhealth IT privacy lawyer
Beyond ransomware and malware, ECRI and other groups involved in healthcare cybersecurity, including the FBI, the Food and Drug Administration and the National Institute for Science and Technology (NIST), have recently sharpened their focus on the lack of cybersecurity for connected medical devices. The porousness of devices, such as infusion pumps and even injectors that pump contrast dye for medical imaging, has become a big deal in the health cybersecurity world, prompting stern guidance from the FDA and a lengthy safety report from NIST.
Meanwhile, the new spotlight on ransomware and patient safety and the blizzard of cybersecurity warnings about medical devices shouldn't necessarily detract from health IT's overarching preoccupation with PHI breaches and medical and financial privacy, said Matt Fisher, a health IT privacy lawyer. "It all goes, to some degree, hand in hand," he explained. "If you're focusing on what you can do to improve the overall security and you're monitoring the system and thinking about what you need to be doing to stop intrusions, that should help you find other issues," such as vulnerability to ransomware.
One of the more intuitive ways providers can avoid healthcare ransomware attacks is to follow HIPAA basics, Fisher added. That means adhering to the requirements of the HIPAA Security Rule, including having a data recovery plan and backups in place to restore data systems.
"You have to harden yourself. You can't just make yourself an inviting target and expect not to be victimized," Fisher said. "If you make yourself ripe for the picking, you need to take a look in the mirror."