By Elizabeth Snell

March 25, 2016 - Ransomware is quickly becoming a popular topic when it comes to healthcare data security, and covered entities and their business associates should take notice of this latest threat to sensitive information.

No organization should assume that it will never fall victim to a cyberattack or healthcare data breach. Having a full understanding of what the latest threats are and how to work to protect against them are essential aspects for any facility’s approach to security.

But what exactly is ransomware? How will it affect healthcare data security? How has it already started to impact the industry?

HealthITSecurity.com will review the key aspects of this threat, and discuss why healthcare organizations should take note.

What is ransomware?

The Institute for Critical Infrastructure Technology (ICIT) has called 2016 the year of ransomware, and that it will “wreak havoc” on America’s infrastructure.

“Ransomware is less about technological sophistication and more about exploitation of the human element,” ICIT explains in its ransomware report. “Simply, it is a digital spin on a centuries old criminal tactic.”

Ransomware is a type of malware that will prevent an organization from accessing certain parts of its system. Typically, an entity and its users will be locked out from critical systems, and unable to get in unless they pay a certain amount of money. Essentially, data is being held hostage.

The ransomware will either deny access to the data or it will encrypt it. Crypto ransomware will encrypt the data, while locker ransomware prevents users from being able to access the information.

However, once the money has been paid, there is no guarantee that the organization’s system will be unlocked.

For healthcare, this can be especially dangerous as hospitals could be locked out from their own EHR and unable to reach patient information. Healthcare organizations likely cannot operate normally and ensure patient safety - and data security - without being able to access their systems.

The ransomware could be downloaded in various ways. For example, a user may inadvertently download the malware from a website or by falling for a phishing scam. Or, perhaps an attachment in spam email contains the ransomware.

“Ransomware criminals concern themselves with what they can disrupt,” ICIT states. “Business operations grind to a halt until the system is restored or replaced. Moreover, unlike traditional malware actors, ransomware criminals can achieve some profit from targeting any system: mobile devices, personal computers, industrial control systems, refrigerators, portable hard drives, etc.”

Cybersecurity measures might not be enough to prevent ransomware, according to ICIT, which is why it is so effective.

“Information security systems exist to detect and mitigate threats, to prevent data modification, to question unusual behavior, etc. After it is on a system, ransomware bypasses many of these controls because it effectively acts as a security application.”

What can be done to prevent these attacks?

One of the top ways to prevent ransomware attacks is to work on mitigation tactics, such as training employees what to look for in phishing attacks and how to recognize malicious emails.

Both the private and public sectors need to work together, according to ICIT. While the only true way to prevent malware attacks is to never open email, that is not a realistic option.

“Collaboration and collective cybersecurity improvement is the best strategy for mitigating the ransomware threat and reducing the impact of successful attacks. As initiatives to increase societal cybersecurity training and awareness improve, the attack surface and profitability of ransomware and other malware campaigns will decrease.”

As with basic healthcare data security measures, organizations need to implement a cybersecurity strategy. There is not one solution that will always keep unauthorized users and cybercriminals at bay, but information security awareness and regular training are one important aspect.

Additionally, updated software and hardware solutions will be critical. Any patches should be implemented as needed.

“No single product should be relied upon because there is no single product that provides comprehensive security,” ICIT warns in its report. “

White-list firewalls, intrusion detection and intrusion prevention systems, anti-virus, anti-malware, and anti-ransomware applications will all be beneficial. User Behavioral Analytics programs will also alert organizations to any suspicious activity, and encrypting data at-rest as well as in-motion will also be necessary tools.

Finally, as with any data security plan, backup systems are essential. This will potentially ensure that critical information remains accessible in some way, and that the healthcare organization can continue to run.

How is it affecting healthcare?

There have been several recent cases of ransomware that has impacted healthcare organizations.

Kentucky-based Methodist Hospital announced that it was infected with the Locky ransomware virus, which copies all vital files, encrypts them, and then deletes the originals. Upon discovering the incident, the hospital shut down all of its computers and checked whether they had been infected by the virus.

Patient files were reportedly secure and were not accessed during the downtime.

Two hospitals in Prime Healthcare Services, Inc., Chino Valley Medical Center and Desert Valley Hospital also recently reported that they had been victims of ransomware attacks.

Again, patient data was reportedly not compromised, but several servers were shut down to prevent any further infiltration.

Hollywood Presbyterian is perhaps the largest case of ransomware recently affecting healthcare. In that case, the California hospital was forced to pay $17,000 after it was locked out of its system. The hospital said that there was no sign that any stored EHR information had been misused or accessed, and that files had been encrypted.

“I am very proud of the dedication and hard work of our staff who have maintained the highest level of service, compassion and quality of care to our patients throughout this process,” hospital CEO and president Allen Stefanek said in a statement. “I am also thankful for the efforts of the technical staff as the EMR systems were restored, and their continued efforts as other systems are brought back online.”

Experts agree though, that this trend will unfortunately continue to affect the healthcare industry.

“The healthcare sector was not a traditional target for ransomware attacks,” ICIT explains. “One theory is that attackers did not target systems that jeopardized lives.”

However, that mentality has recently changed as the attacks on hospitals prove.

Symantec Health IT Officer David Finn, CISA, CISM, CRISC had similar misgivings in an interview with HealthITSecurity.com earlier this year.

“Now that we’ve got some publicity over the fact that healthcare is easy to get into and that they will pay ransom, it’s going to be a bigger target. It isn’t going to abate,” he said.

Overall, healthcare data security measures will need to continue to evolve in order to keep pace with the continuously evolving threats. Technology and training will both need to be comprehensive and current in order for covered entities to have a chance in mitigating ransomware threats.