Have You Met The Dark Overlord? – Why Ransomware Cyberattacks Are The Greatest Threat To Your Practice That You’re Not Worried About – and How To Play Defense
Even for the most ardent luddite, it’s hard to avoid talk these days of “ransomware.” But for the uninitiated, Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system’s screen or by locking the users’ files unless a ransom is paid.1 As for why you’re hearing about it, that’s because it’s the fastest growing cybersecurity threat over the past two years. Ransomware exploded in 4Q14, when the necessary source code was published as “open source” and ransomware-as-a-service became available. These dramatically lowered the difficulty in getting started, and with little chance of associated arrest – the significant financial gains available from these types of attacks were simply too good for cybercriminals to pass up.
Since that time, ransomware payments have amounted to over one billion dollars per year, and those are just the payments that are reported. If that number doesn’t impress you, remember it is the result of an average ransom demand of under $700.2 That’s the “evil genius” of ransomware, they ask for just enough money that it’s not worth the hassle and delay of trying to fight it. What’s more, for small businesses, the threat level is critical. These businesses lack the resources, the security and the multi-layer defense programs to help protect themselves. And it’s only escalating.
For ASCs, this threat is multiplied by their liability under the Health Insurance Portability and Accountability Act (“HIPAA”). Cybercriminals that can lock up a system’s data can also access it without restriction, including any and all “protected health information” (“PHI”) under the HIPAA. This threat has become so prevalent that in June, the HHS Office for Civil Rights released new HIPAA guidance on ransomware reinforcing activities required by HIPAA that can help organizations prevent, detect, contain, and respond to threats, and confirmed that paying the associated “ransom” will not protect these institutions from HIPAA enforcement3 – which can lead to fines of $50,000 per compromised medical record.
Cybercriminals target medical facilities because of the legacy software that many of these institutions employ. Old software suites and the old operating systems they often run on are dramatically easier to exploit, and the regulations associated with the maintenance of electronic medical records lead many of these companies to suffer old software for much longer than they should. The cost of updating is usually prohibitive and the array of options is dizzying. As a result, many ASCs rely on their belief that small, private institutions like theirs are simply not a target. They are wrong.
* On June 1, 2016, approximately 13,000 patient records were compromised by ransomware The Ambulatory Surgery Center at St. Mary in Langhorne, Pa.4
* Athens (GA) Orthopedic Clinic, which includes an outpatient surgery center, experienced a ransomware attack of about 397,000 current and former patients that was discovered June 28, 2016.5
Cybersecurity experts also warn of the special vulnerability of ASCs:
“Same-day surgery facilities may have an increase in vulnerability, due to the volume of patients, the increased mobility of the clinicians, and the level of security in place,”
* Ellen M. Derrico, MBA, a marketing/market development executive in healthcare and life science technologies and an independent consultant in West Chester, PA
“Critical medical equipment, such as what you would find at an ambulatory surgery center, is generally at risk due to the sensitive nature of the applications on that equipment … the applications often preclude traditional antivirus, anti-malware software, or normal patching timetables.”
* Erik Rasmussen, JD, cyber practice leader with Kroll’s Cyber Security and Investigations practice
For many years, HIPAA compliance has been relegated to an administrative status somewhere below obligatory continuing education requirements, and is often little more than a budget line item. However, this is an increasingly outdated way of looking at this critical practice element. Major liability insurance carriers are beginning to offer cybersecurity insurance, but also require a minimum level of security to even qualify, at any premium. Most legacy EMR/EHR systems simply aren’t adequate and COTS anti-virus software is woefully ineffective.
Forward-looking ASC administrators should seek out professional advice from a dedicated cybersecurity firm. NOTE: This is not asking your “IT guy” if he has software. Experts predict that the majority of private medical facilities will be targets of this type of malware, and the costs of these attacks exponentially outpace the cost of even the most exhaustive protection structures. In other words, an ounce of real protection will save you pounds and pounds of cure.