Time to Face the Ransomware Crisis in U.S. Healthcare: Industry Experts Speak Out

The ransomware phenomenon is menacing more and more U.S. hospitals and patient care organizations. What does it mean? And what can be done? Part one in a two-part series.

The first nationally reported mainstream media news story in this drama was that around Hollywood Presbyterian Medical Center. On Friday, February 12, NBC4News, the local affiliate of the NBC network in Los Angeles, reported in its noon and evening broadcasts, and then online, this story: “Hollywood Hospital ‘Victim of Cyber Attack.’” As the online version of the story, by Jason Kandel and Robert Kovacik, stated, “A Southern California hospital was a victim of a cyber-attack, interfering with day-to-day operations, the hospital’s president and CEO said. Staff at Hollywood Presbyterian Medical Center began noticing ‘significant IT issues and declared an internal emergency’ on Friday, said hospital President and CEO Allen Stefanek. A doctor who did not want to be identified said the system was hacked and was being held for ransom.”

In the days that followed, more news reports appeared, confirming that, among other things, the electronic health record (EHR) and other clinical information systems at Hollywood Presbyterian Medical Center had been shut down for more than a week, and confirming that a ransomware attack had taken place, and stating that the cybercriminals behind it were demanding $3.6 million to restore the system.

Just five days after the first NBC4News reports were aired on local television and online, hospital CEO Stefanek issued a formal statement published on the hospital’s website, reporting that the hospital had paid the hackers 40 Bitcoins, or the equivalent of $17,000, and the cybercriminals had given Hollywood Presbyterian executives the key to restore their clinical information systems. Stefanek also said in that statement that the news reports of a $3.6 million demand for restoration were wildly exaggerated, and that the demand had been for only $17,000 to begin with.

Then, on Monday, March 28, The Washington Post reported that the 10-hospital, Columbia, Md.-based MedStar Health integrated health system’s clinical information system had had to be shut down because of a virus-based hacking attack. Further, on Thursday, March 31, The Baltimore Sun confirmed that the attack reported on that Monday had included a digital ransom note. In the following days, additional news reports, as well as statements by MedStar Health officials, described MedStar staff members’ attempts to restore the full functionality of their clinical information systems, while working at the same time to maintain as high a level of patient care service as possible.

And then on March 31, The San Diego Union-Tribune reported that Alvarado Hospital Medical Center in San Diego had been hit with a malware attack, as had Chino Valley Medical Center and Desert Valley Hospital in Victorville—in other words, three Southern California hospitals hit with malware attacks more or less at the same time. That same week, WSCH Radio reported that Kings Daughters Health in Madison, Indiana, had been hit by a ransomware attack, causing hospital executives to shut down all of its information systems in response.

What’s more, industry experts tell Healthcare Informatics that ransomware attacks are now occurring every single week at hospitals around the United States, with varying levels of effectiveness. In fact, say observers, the volume has reached a fever pitch in the past few months, though only a tiny percentage are leading to complete shutdowns of the clinical information systems, or even all the information systems, of hospital and health system organizations; and it is only those enterprise-wide shutdowns that are attracting mainstream media coverage.

So what is going on? And what are healthcare IT leaders doing to respond to this escalating phenomenon? We at Healthcare Informatics have spoken to a variety of senior healthcare and healthcare IT leaders, in patient care organizations and consulting firms, about the phenomenon. In this article, the first in a two-part series, we look at the landscape around the ransomware phenomenon, and the industry’s broad response to it. In part two, we will share healthcare IT leaders’ specific pieces of advice around what their peers should be doing right now to address this growing problem.

Is It a Crisis? And What Does It Mean If It Is a Crisis?

So to begin, is what is happening right now with the emergence of ransomware in healthcare a genuine crisis? What should it be called? “I don’t know that I would call it crisis mode, but I will say that it’s a very serious threat to the industry right now, primarily because it’s a very concerted effort on the part of the cyber criminals to take advantage of weaknesses in the industry that they figured out they could exploit fairly readily,” says Mac McMillan, CEO of the Austin, Tex.-based CynergisTek consulting firm. “It has shone a bright light on the lack of preparedness in the industry for these kinds of attacks. The problem now is that it’s happening so frequently and randomly, so it’s not like you’re being attacked directly—everyone who is connected is being attacked.”

Mac McMillan

What’s more, McMillan says, “There are two things contributing to the success of these attacks. First is the lack of awareness” on the part of the end-users of clinical information systems in patient care organizations, including their lack of preparation to resist phishing attacks and other lures. Second, he says, is the “constant barrage against the network itself.” Senior healthcare IT executives and managers in U.S. patient care organizations are failing to optimally maintain, administer, and refresh their organizations’ information systems; failing at developing strongly proactive detection of threats in their environments; and failing to consistently react to and respond quickly and effectively, to incidents involving the infection or compromising of their information systems. In short, he says, “Folks are just not ready.”

And that’s true even though the phenomenon is not exactly new, even to healthcare. “Ransomware has been around for a while now,” says Ron Mehring, CISO (chief information security officer) at the 60-plus-hospital, Arlington-based Texas Health Resources health system. “Last year, there were lots of warnings being published by security vendors that they felt that there would be a growing amount of ransomware being populated across multiple industries, not just healthcare, but they did call out healthcare a little bit, because of some of the weaknesses that have been defined by multiple external organizations,” he notes.”

What’s more, Mehring says, “The FBI had published a report a few years ago talking about the weakness in the healthcare industry. So, it kind of called it out and said healthcare is at risk, because, from a security posture perspective, there’s been a delay in getting more technologies and processes and things considered best practices and beyond, established in healthcare.” All that said, Mehring quickly adds that “Something real is going on, and I think that the threat is increasing as we see more ransomware out there and hitting more things than it normally would. The syndicates that run ransomware, they see opportunity and they will push to the weakest part of an industry and try to take advantage of that.”

CISOs who have come into healthcare from other industries agree that the healthcare industry appears to be particularly behind the curve in preparing for this menace. Fernando Blanco, who ten months ago joined the 50-plus-hospital Christus Health system, based in Irving, Tex., was a CISO in the consumer products industry prior to coming into healthcare. His perspective? “I think that information security was neglected for many years in hospitals, and investment was associated with perceived risk; and healthcare was considered a low-risk industry,” Blanco says. “Everyone thought that there was more risk related to financial information of consumers. Healthcare has been a little bit late to the game; but the high-profile hacks are changing that. You can get credit card information for 50 cents now, but a medical record is worth 50 bucks, so that’s changing things.” Still, he says, “We’re seeing the industry move in the right direction since the big breaches of last year. We’re seeing senior leadership providing the right level of attention to this. It’s top of mind for all CEOs and COOs now.” But, he adds, “These things come cheap. And if you cannot afford at least the minimum security measures, the basic blocking and tackling that allow you to sleep at night, you’re too vulnerable.”

Looking at the System-Wide Impact of Ransomware Attacks

One aspect of the ransomware phenomenon that many observers find particularly troublesome and challenging is the systemic nature of ransomware attacks, which separates ransomware from the “one-off” types of identity theft that have long been common in healthcare in the form of insiders stealing patient’s identities through accessing their individual patient records. “I think that what is most disturbing about this trend is that it is not a classic attack against patient records or customer records, for purposes of fraud,” says Natalie Lehr, vice president of analytics and co-founder of the Silver Spring, Md.-based TSC Advantage consulting firm, which advises organizations in several industries, including the energy industry, manufacturing, the mergers and acquisitions area, and healthcare. “Most people in America have come to accept that that type of attack is going to happen,” she says, referring to individual cases of identity theft and fraud. “In this case, with ransomware, the very system by which care is delivered, is under attack. So it’s not like you can protect one type of data and consider yourself sufficiently protected. Now, it is systemic.”

What’s more, there is a very different element related to time. “With these types of attacks, very little time elapses between when they penetrate the system and when they deliver the ransomware message,” Lehr notes. “So you have to prepare in advance, because you won’t have much time. So all your defenses need to be in place. And if you don’t have a very strong business continuity and governance structure plan in place, it can increase the time that it takes for you to recover, and the cost that it takes for you to recover.”

What Are the Core Elements in Preparedness?

All those interviewed for this article agree that the leaders of patient care organizations need to prepare proactively and strategically to meet the ransomware challenge, and that the ransomware phenomenon involves an unprecedented level and type of risk to the EHRs and other clinical and operational information systems on which U.S. patient care organizations now run.

What are some of the key elements of any good plan?

Above all, awareness, buy-in, and support, from the CEO and the c-suite of the patient care organization and from its entire board of directors, as well as from senior management across the enterprise
An information security/data security/cybersecurity strategic plan, fully articulated
In most cases, the use of external services, such as security operations centers (SOCs), and other external consultants and vendors, to support data security management and operations
As part of day-to-day operations, very frequent system-wide backups (possibly daily backups of at least portions of entire information systems, with annual, semi-annual, or quarterly testing of daily/frequent backup processes), behavioral monitoring and auditing processes, continuous updating of antivirus program signatures, continuous server patch updates, and the routinization of other operations-critical processes, with fail-safe verification processes in place
Stronger limits on role-based user access to file-shares, systems and networks
Intensive, comprehensive, continual education and training of all end-users of EHRs and other clinical and operational systems, especially including continual training around phishing
In most cases, the hiring and support of a CISO and data security team
Continuous budgeted funding sufficient for the above

John Petersen, an Albany, N.Y.-based manager at The Chartis Group, a Chicago-based healthcare consulting firm, has a lot to say about the day-to-day processes referenced in the above list. “Whether you’re a third party or whether you’re a hospital yourself, there are a lot of preventive types of activity that need to happen,” Petersen says, “from making sure you have the right anti-virus programs installed, to making sure that you have continuously updating signatures for those programs; there’s a lot of server patches that have to be happening. The signature updates are to your antivirus software come out on a regular basis, sometimes weekly. The same thing with intrusion detections systems; those have updates on a regular basis, too. Now, patching, that in itself is more about fixing vulnerabilities on your work stations or servers. Every time Microsoft comes out with patches, typically on Tuesdays, those need to be fixed. And that’s a set of vulnerabilities that hackers typically take advantage of, and need to constantly be addressed; they’ll always be there.”

John Petersen

Time to Shift Away from a Compliance Mentality

More broadly, Petersen says, some of the lack of preparedness for the ransomware crisis among the leaders of patient care organizations has to do with the compliance mindset that he sees as still prevalent in many, if not most, U.S. patient care organizations today; that is particularly true around end-user education. “Organizations are really focusing on compliance with HIPAA [the Health Insurance Portability and Accountability Act of 1996] and privacy and security, but that’s not enough education,” he stresses. “They really need to have a broader cybersecurity training that is a continual approach that constantly gets updated and shows the users how to recognize and respond to these phishing attacks. These criminals are spraying organizations and people with e-mails to whoever will open them. And we’re talking about Locky—that is the one that hit Methodist Hospital and PrimeCare and Hollywood Presbyterian, and it came through e-mail phishing attacks.” Very specifically, Petersen says, the Locky virus has typically been unleashed when end-users open what appear to be vendor invoices or other attachments that appear blank; then a prompt tells the end-user to “press here to enable macros.” And it is the enabling of macros that then leads to the encryption that actually spreads the malware throughout the system. It is for that reason that Peterson and other experts emphasize the very strong need for continual, rigorous training of end-users, focusing on phishing.

As for system backups, many experts urge hospitals to back up their entire EHRs daily, in order to be able to resume operations as quickly as possible when a ransomware attack does hit. Experts have differing views on how often daily backup processes should be fully tested: certainly once a year, perhaps twice a year, or even quarterly, are among the options. Here’s what’s key about that question, Petersen says. “With these different ransomware viruses that are now coming in, when the user clicks on the link, either it will immediately encrypt the user’s c drives and ask for a ransom payment; that’s what the Locky virus does, but it also searches the network for the user’s available drives. If he has a thumb drive or a c-drive or other device, it will search for those. And the Sam virus may take six to nine months as it searches across the network for the data that’s most beneficial to the hackers.”

So testing one’s backups, whether they are daily or near-daily, is extremely important, Petersen says, as is an organization’s set of policies (and implementation around that set of policies) around privileging and access. Petersen says that the leaders of patient care organizations need to adopt considerably more rigorous, role-based systems of access that strongly limit individual users’ access, in order to contain the damage of ransomware and other malware attacks when they do happen.

Fundamentally, says TSC Advantage’s Lehr, one of the reasons that ransomware attacks, and malware attacks more generally, are so deeply problematic for patient care organizations in healthcare is that they are designed, through their introduction as phishing e-mails, to attack those organizations’ most vulnerable points of entry: the keyboards of end-users. “I think the difference with this trend involving ransomware is that the attackers are getting smarter with how they’re weaponizing end-users,” she says. “They’ve sort of weaponized human nature to get people to click on a link that then launches malware on the network. And then that clicking exposes not only their own device, but the other devices on the network. So end-users have to modify their own human nature and impulses” in order to help their organizations prevail over this threat.

Josh Wilda, vice president of information technology at Metro Health Hospital in Grand Rapids, Mich., puts it this way: “From what I’ve seen, the focus has always been, how could someone come in and propagate a virus across the organization and/or the focus always been on data loss prevention, with PHI [protected health information] and HIPAA, and how could someone come in and steal that for their own personal gain? Now it’s totally different, in that they’re not stealing it: the data is there, the organization just can’t get to it. So we have to approach it differently. And it is easily propagated by end-user behavior as opposed to brute force and being hacked by someone, and usually we can see that happening (hacking). With this sort of thing, we only know it’s happening when someone calls and says that they just had access and now they don’t have access and they have a pop up window demanding a ransom to regain access.”

In part two of this two-part series, experts share their perspectives on the role of CISOs, and healthcare IT leaders will share additional insights on what their peers can do to protect their organizations against ransomware attacks.