Ransomware in Healthcare: Where the Stakes Are Higher

“Good day, isn’t it?”

This greeting taken from a ransomware screenshot is audacious.

For healthcare organizations who are struggling with basic security, much less advanced threats like ransomware, the greeting is chilling. The Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, conducted by Ponemon Institute, found that ransomware was one of the new cyber threats for 2016.

Ransomware is a type of malware that gains access to a computer system and makes either the system or the data inaccessible, then attempts to extort payment from the owner in return for returning access.

Ransomware is spreading with the speed of the stomach flu to infect healthcare organizations nationwide, but is infinitely more damaging. A recent Healthcare IT News and HIMSS Analytics Quick HIT Survey found that about 75 percent of healthcare organizations polled were or may have been hit with a ransomware attack.

Incidents at Titus Regional Medical Center in Texas and the Hollywood Presbyterian Medical Center appear to be the start in a series of ransomware attacks on the healthcare industry in 2016. Three California hospitals owned by Prime Healthcare Services, King’s Daughters’ Health in Indiana, Methodist Hospital in Kentucky, as well as Maryland/D.C.-based MedStar Health were all hit by or allegedly hit by ransomware in the past few months.

Ransomware: A Mountain out of a Molehill, or a Molehill out of a Mountain?

No doubt about it, ransomware is a hot topic, and hot topics make big news. Sometimes, however, an overemphasis on one threat or another can skew reality, confusing privacy and security professionals.

But ransomware truly is a big deal. Consider the numbers: Mac McMillan, co-founder and CEO of healthcare security and privacy consulting firm CynergisTek, told Becker’s Health IT & CIO Review of a hospital client who had counted around 3,000 suspected ransomware events in their filters a day. A month later, that number had grown 10-fold to 30,000 a day. And a new Unit 42/Palo Alto Networks report on ransomware points that ransomware attackers are targeting more platforms, including Mac X OS. The problem will only increase as the Internet of Things (IoT) continues to take hold, according to the report.

The government is also taking notice of cyber-threats like ransomware. In February, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) launched a new cyber-awareness initiative, starting with advice on how HIPAA covered entities can avoid ransomware. And at the end of April, the FBI warned healthcare and other organizations against the “insidious” threat that is ransomware.

To Pay or Not to Pay?

Healthcare organizations suffering a ransomware attack struggle with whether or not to actually pay the ransom. As Healthcare IT News pointed out, the answer depends on a host of factors—the size of the attack, when it was discovered, how fast the business continuity plan “kicked in,” how widespread the encryption is, and when the data was last backed up.

“Some organizations back up data daily,” said Brendan FitzGerald, HIMSS Analytics research director for Advisory Solutions. “But when you’re talking about an entire health system, there’s no guarantee that the data will get backed up every single day.”

Fifty percent of the respondents in the Healthcare IT News/HIMSS Analytics survey said they would not pay the ransom. Nearly three-quarters of healthcare organizations said they had a business continuity plan, but “when asked if they would pay the ransom, almost half said they are unsure,” FitzGerald said. “That calls into question how solid those plans really are when dealing with ransomware.”

Ransomware attacks can be frightening. As Brian Krebs pointed out, Methodist Hospital declared an “internal state of emergency” after its ransomware attack. Operations get disrupted, and patients’ lives are literally at risk.

“If you have patients, you are going to panic way quicker than if you are selling sheet metal,” Stu Sjouwerman, CEO of the security firm KnowBe4, said in a WIRED article.

Alex Rice, chief technology officer and co-founder of vulnerability disclosure portal provider HackerOne, agreed, saying that the cyber challenges facing healthcare isn’t unique. “It’s just that the stakes in healthcare are so much higher—a disruption at a hospital can be life and death,” he told Ars Technica.

Despite these fears, Methodist Hospital, the California hospitals, and MedStar reportedly did not pay the attackers. Hollywood Presbyterian Medical Center did pay up, about $17,000 worth of the virtual currency Bitcoin. President and CEO Allen Stefanek said in a statement that paying the ransom was the “quickest and most efficient way to restore our systems and administrative functions.”

Jason Rolla is chief technology officer of Illinois-based Christopher Rural Health, which was a victim of a ransomware attack. Hackers wanted hundreds of dollars’ worth of Bitcoin. He managed to avoid paying because he had the data backed up. “To be honest with you, I did [consider paying the ransom],” he told Fortune. “On the first day, absolutely. I really could not afford to be without those files.”

Yes, ransomware has definitely earned its spot as a top cyber threat for healthcare organizations, but as we’ve pointed out before, ransomware attackers are simply crooks, and crooks can be caught.