Ransomware attacks are a form of digital extortion and a way for hackers to easily monetize health information by holding it hostage. The 2016 Ponemon Institute Study of Privacy and Security of Healthcare Data reveals that criminal attacks are the leading cause of data breach among healthcare organizations, and 45 percent of healthcare organizations and their business associates are worried about ransomware.

Why is ransomware such a great threat? Information security experts estimate it takes less than 3 minutes from someone clicking on a malicious link to the encryption being fully loaded. The hacker then demands a ransom payment in return for access to the information — usually in Bitcoin, which can't be traced back to the individual responsible for the attack.

There are costs beyond that of potentially paying a ransom to have the organization's access to the internet and/or systems unlocked. There is a potential for lost business, as well as repair and restoration costs. There is also a risk and potential cost to patients when their data can't be accessed when it is needed. And in some cases, ransomware results in a data breach and its associated costs.

Not every attack is successful, and some organizations aren’t even aware an attempt has been made. But, a Healthcare IT News article highlights eight hospitals/systems where the ransomware attack was successful in 2016. This presents an opportunity for other organizations to learn from the experience of these hospitals and their clinics and to enhance their business continuity plans.

Specific ransomware attack scenarios encountered include:

  • Entire system/network locked down
  • Only web-based services affected
  • Individual computers locked down
  • Forced to power down all systems, then discovered the ransom virus had not spread from a single employee's infected file
  • Patient data was affected and/or breached at some organizations, but not others
  • One clinic turned away some patients because employees could not access data
  • After payment was made to unlock the data/system, one extortionist demanded a second payment

Paying might be the quickest way to have access to the system and/or data restored, but it could also convey that the organization would be willing to pay even more. Factors that contribute to the decision of whether to pay include the scope of the attack, how soon it is discovered, the speed of business continuity plan implemented, how recent was the last backup and whether patient data was breached.

A Healthcare IT News/HIMSS Analytics survey found that 50 percent of respondents said they would not pay the ransom. Three-fourths of those responding have a business continuity plan, but even a half of these are unsure if they would pay the ransom.

Two organizations did pay a ransom in 2016. Hollywood Presbyterian paid $17,000 after every system was affected for a week and MedStar paid $19,000 when some employees received a pop-up demanding payment to receive a digital key so they could access the system. In June of 2015, Christopher Rural Health couldn't afford to be without their data, but didn't pay because they had a backup.

In addition to having strong backup procedures, five other offensive actions healthcare leaders can take help defend their organizations from breaches include:

  • Instill a culture of digital security in all staff
  • Update policies/procedures to keep pace with evolving technologies
  • Conduct risk analysis to identify vulnerabilities and guide spending
  • Implement an information security framework
  • Consider cyberinsurance to cover breach-response costs