By Nadia ElKaissi, CHTM
Picture this: A hospital’s Picture Archiving Computer System (PACS) vendor was notified that all their servers were shut down unexpectedly, leaving all patient data inaccessible. After a swift investigation, it was discovered that the entire system was a victim to a ransomware attack, leaving sensitive patient data exposed. The hackers began threatening to sell the data if a ransom was not paid within 48 hours. In an attempt to quickly protect the leakage of data, the vendor paid the gang $50 million. Although there was assurance that the data would be deleted once the debt was paid, there was no guarantee that the hackers would delete all data. Then, the hackers announce that they did not delete the data and will be selling it on the Internet. With this additional dilemma, the vendor is already thinking, was it the right choice to pay the ransom? What is the correct way to handle a ransomware attack?
Today, health care is constantly evolving, and technology is advancing to support patient care. However, the dependence on interconnected systems presents additional vulnerabilities that, if not remediated, can open the doors to hackers. Understanding the risks associated with a product is becoming a necessary step before procurement. Prior to installation, hospitals should be setting plans to address all situations regarding the system. They should understand how to protect their new advanced systems, and how to react when an attack occurs. With the increasing amount of cyberattacks on hospital systems, the initial instinct is to pay the ransom. Although this reaction is intended to gain control, yielding to demands fails to guarantee a resolution. It also perpetuates a cycle of extortion and poses significant risks to patient safety and data integrity.
Before delving into why a strong cybersecurity program is necessary to ensure the protection of patient data, it is important to understand why it is not always ideal to have a reactive approach during a cyberattack. As discussed above, many initial reactions are to pay the ransom and secure the data. While this may be the quicker solution, there is no guarantee that the hackers will comply with the promises that were made. In fact, hackers may take the money and disappear without fulfilling the promise, which would result in a permanent loss of patient data. In addition, the payment essentially funds criminal activities, which could provide incentive to hackers to find more ways to hack a vulnerable organization. Lastly, paying the hacker is not solving the underlying problem, which is to address the vulnerabilities that lead to the attack. Without addressing the weaknesses, the hospitals and vendors will remain susceptible to future attacks, leading to the exposure of additional patient data. Although these are only a few reasons to avoid a reactive approach, the reasons are consistent with the goal to focus on developing a strong cybersecurity strategy.
Ransomware attacks are a large wake-up call to organizations to invest in a strong cybersecurity program. It is imperative that hospitals should focus on areas such as evaluating the needs of the system, performing frequent penetration testing, educating staff on cybersecurity, and establishing response protocols. As hospitals are integrating more solutions, they should be focusing on developing firewalls, implementing a strong antivirus software, installing an intrusion detection system, and performing regular monitoring and audits to address weaknesses. Penetration testing and developing a patch management system are additional requirements that will help to strengthen the security and reduce any holes in the system.
In addition, staff should be constantly trained on the importance of cybersecurity and to recognize phishing or suspicious links. Human error is one of the most significant cybersecurity threats. Therefore, continuous training will hopefully reduce the likelihood for an attack on a health care system. Finally, a hospital should be building a strong incident response plan in the event of a breach. This will ensure for a less reactive approach if the plan includes protocols to minimize the damage and detailed steps to restore normal operation.
A strong cybersecurity strategy starts with developing proactive measures. Implementing strong measures can significantly reduce the risk of falling victim to hacker exploits and ensuring the integrity of the system and patient data. While the temptation to pay the ransom may offer a temporary solution, it does not solve the overall problem of why the system was attacked and how to prevent additional attacks from occurring. No plan is perfect but having a strong program that is constantly monitoring and auditing hospital systems will help to reduce the probability of an attack and provide more oversite products in the hospital. Only through collective commitment to proactive cybersecurity can hospitals ensure the safeguarding of patient data.
