A global ransomware attack last month hit 16 hospitals simultaneously in England's National Health Service. Doctors and nurses were locked out of patient records, emergency patients had to be transferred, and appointment schedules, communications and emails were inaccessible. It wasn’t an isolated event.

Ransomware, viruses and malware that lock computers and encrypt patient files, rendering them inaccessible until a ransom is paid, have been around for over a decade but grabbed headlines recently when hackers began targeting hospitals. The most common source of ransomware is a malicious email attachment disguised as a bill or invoice that automatically installs the malware.

Since 2012, ransomware attacks in hospitals have increased and become more sophisticated. In fact, hospitals have been dubbed the “perfect mark” for ransomware attacks because access to patient health information is essential for providing critical care and organizations therefore are willing to pay to get their systems up and running quickly. Attacks should come as no surprise: A complete medical record rich with personal data including Social Security numbers, driver’s licenses, credit card details, health plan information and prescriptions can sell for as much as $1,000 on darknet sites.

Duo Labs, the research team at cybersecurity firm Duo Security, compared user data across industries and found that hospital employees log in to “twice as many applications as the average user.” A major flaw the group identified is that hospitals amass large amounts of data accessible to large numbers of employees through communal workstations and shared passwords. Thus, there is heightened risk of malicious malware.

Cybersecurity problem grows

A poll conducted in April 2016, by Healthcare IT News and HIMSS Analytics found “considerable uncertainty, questionable business continuity plans, and the need for more effective end-user education rampant in the industry.”

Nearly 90 percent of ransomware attacks during the second quarter of 2016 were on hospitals, according to a report by cybersecurity company NTT Security. Redspin’s cybersecurity report found that there was a 320 percent increase in the number of hospitals victimized by hackers from 2015 to 2016. The report also found that 325 large breaches of protected health information occurred and compromised 16.6 million individual patient records.

And, incidents are getting more media attention — potentially damaging the reputations of hospitals. A U.S. government interagency report indicated that from January 2016 to July 2016, there were approximately 4,000 daily ransomware attacks (a 300 percent increase over the 1,000 daily ransomware attacks reported in 2015). 

Among recent high-profile cases of ransomware attacks: Computers at Hollywood Presbyterian Medical Center in Los Angeles were locked for more than a week until the hospital paid the $17,000 worth of bitcoin in ransom; Maryland-based Medstar confirmed that 10 hospitals in its network were infected with ransomware; and Methodist Hospital in Henderson, Ky., was hit with a ransomware virus that limited its use of electronic web-based services and prompted it to declare an internal state of emergency. Details of ransom demands and the amount, if any, paid to regain access to files is rarely disclosed publicly.

Prevention and response

At a national level, Congress has passed measures to prevent ransomware attacks in hospitals:

  • The Senate health committee added a health care cybersecurity provision into the Cybersecurity Information Sharing Act of 2015. The provision charges the Department of Health and Human Services with appointing an official to lead the agency’s cybersecurity efforts, coordinate a response should an attack occur and issue a report on the latest cyber threats so the public can understand how they may be affected by attacks.
  • The Senate health committee recently approved several pieces of legislation that affect health care data security. These include the Improving Health Information Technology Act, designed to make electronic health records more interoperable; and legislation to establish a medical device post-market surveillance system.
  • Hospitals, as Health Insurance Portability and Accountability Act–covered entities, are required to develop and implement security incident procedures, along with response, reporting and notification processes if ransomware is detected.

But it is a local hospital’s preparedness that’s key to prevention. In general, hospitals must make cybersecurity a high-priority concern at every level of operations. Investing in employee awareness and training, implementing troubleshooting techniques and data protection must be ongoing and adequately funded to prevent the hospital becoming the target of disabling ransomware or experiencing a major breach.

Straightforward steps hospital administrators and staff should take to help prevent ransomware attacks include:

  • Keep operating systems, browsers and applications completely up to date.
  • Ensure the devices on your networks are up to date.
  • Use stronger passwords.
  • Don’t click on links or open attachments from untrusted or suspicious sources.
  • Regularly back up important files.
  • Use and distribute preventive guidelines and ransomware manuals.
  • Remain up to date with federal policy changes and new initiatives.

Taking action

A ransomware incident is a possibility in every hospital, clinic and outpatient facility. Preventing it is a high priority, and, if attacked, managing it quickly and efficiently is an absolute necessity to sustain patient care and protect the reputation of the organization.

Paul H. Keckley, Ph.D. (pkeckley@paulkeckley.com), does independent health research and policy analysis and is managing editor of The Keckley ReportHe is a member of Speakers Express; for speaking opportunities, please contact Laura WoodburnMarina Karp can be reached at makarlie02@gmail.com.

The opinions expressed by the author do not necessarily reflect the policy of the American Hospital Association.