Two recent ransomware attacks at surgery centers have managers wondering how to prevent or, if necessary, respond to such attacks.
- Identify your highest risks: medical devices, the network, mobile devices, your staff, outside contractor, or vendors.
- Use intelligent firewalls. Install updates and patches to software on a regular basis. Use backup software.
- Consider using Mac devices. If you use Microsoft, disable your macros.
Two recent ransomware attacks at ambulatory surgery centers have managers wondering how to prevent or, if necessary, respond to such attacks.
In a ransomware attack, hackers seize control of a facility’s computer system and records, then demand payment for the installed encryption key so the facility can regain control of its own computer system.
Facilities pay the ransom through a pre-paid cash voucher or bitcoin, which is a decentralized network that has its own currency. Some ransomware works via email attachments, according to The Doctors Company, the nation’s largest physician-owned medical malpractice insurer. The insurer, based in Napa, CA, recently released a cybersecurity guide.1 (See information about the guide in the resources listed at the end of this article.)
“If the organization has performed frequent system backups, it can typically restore its data with limited loss,” according to The Doctors Company. “However, if backups are not performed, the ransom must be paid or the organization must reset its system back to its default setting — and lose everything.”
Consider these recent examples of ransomware:
• Staff members at The Ambulatory Surgery Center at St. Mary in Langhorne, PA, discovered a malware breach June 1 when they noticed encrypted files on an internal network, according to a newspaper report.2 The center is owned by a hospital and local physicians. The center had backed up all of its files, so it restored them the same day and didn’t pay the cybercriminals, according to the news report.
The surgery center leaders are certain that medical records and patient charts weren’t accessed because they keep them on a separate network. However, the leaders weren’t certain whether the cyberattackers had accessed data such as patient names and dates of birth, so they offered 13,000 patients who were affected a year of free identity theft protection, credit monitoring, and identity restoration, the newspaper reported. Although the surgery center didn’t release the cost of these services, they generally run $10-$20 per patient, according to sources.
Patients also were given access to a toll-free number to call.
• Athens (GA) Orthopedic Clinic, which includes an outpatient surgery center, experienced a ransomware attack of about 397,000 current and former patients that was discovered June 28. “The breach occurred when a hacker used the credentials of an outside contractor who performed certain services for the Clinic,” the center said in a prepared statement.
The clinic “immediately hired cyber-security experts and notified the FBI,” it said. At that time, the center didn’t disclose the breach publicly because, it says, it didn’t want to interfere with its investigation “or push the hacker into a mass public release of data.”
Several days later, the center confirmed the EMRs had been hacked. It took several weeks to determine what patients and data were affected, it says. While it was compiling lists of the affected patients to mail notices to them, it learned the hackers, who call themselves the “Dark Lords,” were attempting to sell the data on the black market. “[W]e immediately issued a press release, put statements on our website and Facebook page, and continued trying to get letters mailed,” the center said. The center offered information about how patients could protect themselves.
Both centers have taken steps to address security vulnerabilities, they report.
Fastest Growing Threat
Ransomware is the fastest growing malware threat, according to a recent technical guide developed the departments of homeland security, justice, and health and human services. (For information about the guide, see the resource list at the end of this article.)
“Almost all healthcare provider organizations have been breached or suffered an attack in the last two years,” says Ellen M. Derrico, MBA, a marketing/market development executive in healthcare and life science technologies and an independent consultant in West Chester, PA. “Many have had multiple attacks per year, month, week, and even per day.”
More than half of all healthcare provider organizations have reported finding traces of malware and viruses on devices on their networks, Derrico says. “Some of this malware and viruses are just waiting to execute,” she says.
And it’s not just patient’s identities that are at risk. Ransomware attacks directly threaten patient safety, Derrico says.
One hospital that experienced a ransomware attack was without access to email and electronic health records for 11 days, with clinicians left to rely on faxes and verbal communication. New records and patient registration information were recorded on paper, and some patients were transferred to other hospitals. It is only a matter of time before a ransomware attack causes serious harm or death because clinicians were unable to access records about a patient’s history, status, or medication administration, Derrico says.
Another concern is the expense. “On average, a basic breach costs $3.7 million to clean up, and then when records are stolen, you end up with lawsuits,” Derrico says. “When you add up all the costs and liability from a ransomware attack, it’s even worse. It can be catastrophic to a healthcare organization.”
Outpatient Is Vulnerable
As if the news couldn’t get any worse, outpatient surgery settings might be particularly vulnerable to a ransomware attack, say sources interviewed by Same-Day Surgery.
“Same-day surgery facilities may have an increase in vulnerability, due to the volume of patients, the increased mobility of the clinicians, and the level of security in place,” Derrico says.
Another area of vulnerability is the type of critical medical equipment found in surgery centers, says Erik Rasmussen, JD, cyber practice leader with Kroll’s Cyber Security and Investigations practice, based in the Los Angeles office. Rasmussen is a former deputy prosecuting attorney and special agent with the U.S. Secret Service, where he focused primarily on domestic and international computer crime investigations. Earlier in his career, Rasmussen served on the Los Angeles FBI Joint Terrorism Task Force, where he investigated activities of domestic and international terrorist organizations.
“Critical medical equipment, such as what you would find at an ambulatory surgery center, is generally at risk due to the sensitive nature of the applications on that equipment,” Rasmussen says. “The applications often preclude traditional antivirus, anti-malware software, or normal patching timetables.” Examples include drug infusion pumps and any other network-enabled equipment.
A surgery center co-owned by a hospital or part of an integrated delivery system, where patient records are shared across entities and where networks and IT systems are shared, might be particularly vulnerable, Derrico says. Such a setting offers “the highest potential for a bountiful attack, yielding the most records in a theft scenario and the most opportunity for extortion in the ransom scenario,” she says.
The bottom line? “All healthcare providers are targets on one level or another,” Derrico says. (See stories about preventing attacks, responding to attacks, training, and security breaches in this issue.)
- The Doctors Company. Cybersecurity and data breaches. Strategies to mitigate risk, monitor security, and respond in the event of a cyberattack. August 2016. Accessed at http://bit.ly/2bSCiCk.
- Wagner J. Ransomware attacks info of 13K patients at Ambulatory Surgery Center at St. Mary. Bucks County Courier Times: July 11, 2016. Accessed at http://bit.ly/2bQcrtK.
- The cybersecurity guide from The Doctors Company is available online at http://bit.ly/29zm57B.
- The federal guidance can be accessed at http://bit.ly/2966w4T.
- For cybersecurity resources from the American Hospital Association, visit www.aha.org/cybersecurity.
- Ellen M. Derrico, MBA, Marketing/Market Development Executive, Healthcare and Life Science Technologies, West Chester, PA. Email: firstname.lastname@example.org.