Potential Effects of Ransomware in Healthcare

By Doug Copley, Forcepoint Senior Security, Privacy & Risk Strategist  

There have been many articles written on vulnerabilities in medical devices that speculate on the potential impact to patient safety. In a recent string of attacks (see Hollywood Presbyterian and Flint Hurley Medical Center) ransomware has become an increasing threat to healthcare providers, but little has been said about how it could impact patient safety. Ransomware infects a PC and restricts access to the infected PC, typically by encrypting most files.  In the case of Locky, which was in the media recently, it will also reach out and try to establish connections to network shares and encrypt that information as well. When the ability to use PCs is significantly hindered – largely making them inoperable – caregivers in hospitals may be forced back to paper-based workflows. In today’s day and age, this causes a significant disruption to normal operations.

Why ransomware? 

Ransomware has become an easier source of revenue for cyber criminals.  With a successful attack against an organization, the organization finds itself in a crippled position from an information availability perspective. The data it needs to function is no longer available and the organization left with a risk management decision: does it bow to the demands of the criminal, or try to recover itself, not knowing if it can or how long it will take? Although most would agree that bowing to the demands of a criminal is morally and ethically a bad decision, C-level leaders have to make the decision that is in the best interest of organization. Consistent with many others, Hollywood Presbyterian Medical Center chose to pay the $17,000 fee for a potentially quicker recovery, and assumed the risk that the criminal would provide the encryption key and won’t try the same threat again.  Given the potentially significant impact to hospital operations, many healthcare executives might make the same call.

Potential Impact of Ransomware

When threat impacts are discussed in the healthcare industry, the conversation is usually quick to steer to medical devices, a top concern today.  What’s the potential impact to hospitals from ransomware attacks? Information is time-critical at hospitals, especially in the emergency rooms and operating rooms.  If PCs stop functioning and there are delays in information access and information flow, it could cause substantial disruption, and could even cause patient safety concerns.

What impact could going back to paper charts have on human life and safety?  Many in the field might say “that’s no big deal – our caregivers know how to fallback to paper processes.” However, organizations need to ask themselves whether that’s still true in 2016.  New qualified physicians and nurses train on electronic medical record systems. Unless organizations are training staff how to operate when the system is down, they are not going to know how to perform via paper.

Let’s consider caregivers trying to treat patients, and consider the difficulties they would encounter if their PCs were not functional, rendering no access to the electronic medical record system.

• Patient medical history inaccessible. Caregivers must learn that from the patient or family members, and if the patient is unconscious, family is not present, or they do not speak the same language, that can cause significant delays in treatment.
• Patient medication history unavailable.  To treat a patient effectively, a physician needs to know what medications the patient takes on a regular basis, and what medications have been administered to this patient in the last 24-48 hours. If prescribed the wrong medication or incorrect dosage, there could be serious risk of harm to the patient.
• Lab orders delayed.  Now orders need to be delivered on paper or over the phone. If 50 people are trying to place orders concurrently, how long will it take to place the order?
• Lab results stalled.  Lab orders are typically transmitted electronically..  If that communication link is broken, how long it will take to get the lab result to the caregiver?
• Prescriptions postponed because they cannot be ordered electronically
• Medical devices inoperable. Some medical devices rely on PCs to manage the device.  If that PC becomes inoperable, critical MRI or interpretation of radiologic data may not happen.
• Monitoring PCs impacted. Medical devices that feed data to a central nursing station may no longer be able to because the monitoring station isn’t functional.  The hospital may not have adequate staff to physically visit all rooms to monitor the patients.
• Potential public relations controversy – Imagine a family coming to the hospital to visit a family member after a major surgery and the hospital cannot tell the family what room they are in because the staff at the desk can no longer access the application that tracks location of patients. What if that patient passes before the family can see them?

Prevention

What can organizations to do protect themselves from ransomware?

1. Put strong technologies in place to prevent and detect threats.  Email security, web security and endpoint security technologies need to be able to identify these threats so that the threat has no ability to penetrate the organization.  Because no technology is perfect and the threats can be so tricky for users to identify, you need to focus on
2. Educate the workforce.  Ransomware is typically spread via infected email attachments or links.  Staff need to understand threats of this type and resist the need to click that link, or launch that file to see what it is.  Repetition of security education is key.
3. Make sure IT, security and other staff or partners are trained in prevention, detection and incident response. Without trained staff, an organization’s ability to detect and respond threats is severely limited and could cause significant downtime and expense.

Bottom line: have contingency plans. In the age of ransomware, every organization needs to ponder the cost of investing in cybersecurity and education versus the cost of using pens and paper.