Hospital Ransomware Attacks Spark IT Security Debate
A series of ransomware attacks directed at U.S. hospitals is highlighting the vulnerability of private health records as hackers prey on healthcare facilities with the ability to pay.
The latest example surfaced this week at Methodist Hospital in Henderson, Ky., which declared an "internal state of emergency" after hackers easily penetrated its IT infrastructure. Ransomware was used to encrypt hospital files. Victims then must pay a ransom for the keys to unlock files.
The medium-size hospital reportedly declined to pay the equivalent of about $1,600 in Bitcoin currency for the keys. Instead, it shut down the effected IT infrastructure and relied on backup copies of infected records.
That's one way to avoid becoming the victim of ransomware, security vendors note. IT security investments alone won't stop emerging cyber-security threats like ransomware, argue disaster recovery service vendors. "The best way to protect your organization is the have both replication and backups," insists Indianapolis-based disaster recovery-as-a-service vendor Bluelock.
The ransomware attack on the western Kentucky hospital is part of a growing cyber threat as hackers hit more hospitals with relatively modest ransom demands. In other words, hackers are employing a volume strategy rather than asking for large amounts of ransom in a single hack.
Security breaches involving healthcare facilities have also touched off a debate about security vulnerabilities as more hospital move IT operations to the cloud. For now, most everyone agrees the ransomware problem will only get worse.
According to electronics records management specialist eFileCabinet Inc. of Lehi, Utah, the medical records of more than 100 million people were compromised on 2015. A security breach at Anthem Blue Cross Blue Shield, the largest security failure recorded last year, accounted for most of that total.
"The increased risk of data breaches in healthcare has much to do with the value of the material," the document security firm argued in a recent report. "Before, financial institutions were some of the most popular targets for data theft. However, the value of the pilfered data would have a short expiration date. Something like a credit card number is only going to have value as long as it takes the owner to realize that they have been compromised."
However, "The information in a healthcare record has better diversity when it comes to fraud and it has a much longer shelf life for criminal activity," the company asserted.
Some security experts point to the migration of health records to the cloud as contributing to the rise of ransomware and other security breaches. The industry study sought to challenge that view: "The fact that the rise of cloud-based services and the increase of data breaches in the industry seem to coincide does not necessarily mean that they are connected," the eFileCabinet study argued. "As a matter of fact, there is some data to suggest just the opposite."
For example, of the handful of healthcare data breaches affecting more than 1 million individuals last year, the company claimed only one involved a cloud-based platform. "Many healthcare breaches are related to things like portable media devices and physical records, so it could be argued that some of these attacks may have been averted if the information was secured on a cloud system," the company noted.
Hence, disaster recovery and electronic documents management vendors are pitching cloud solutions that attempt to overcome growing security concerns. Whether the key is bullet proofing private cloud infrastructure or simply making sure that private medical records—which have been peddled by unscrupulous data brokers—are backed up, hospitals can expect to remain under attack by hackers for the foreseeable future.