For any industry, a ransomware attack can be an IT nightmare. But in the health care environment, an attack brings additional concern: it can trigger a patient safety crisis.
Ransomware and other types of malicious software programs (malware) infiltrate an organization’s network and propagate through connected devices and systems. Once these programs gain entry to the network, they encrypt data to disable user access, software and IT assets. For a hospital or health system, the attack could disrupt health care delivery operations, placing patients at risk.
The significant and broad implications to patient care associated with ransomware and related cybersecurity threats prompted ECRI Institute to designate this topic as the Number 1 concern in its report detailing the “Top 10 Health Technology Hazards for 2018.”
The Nature of An Attack
Multiple ransomware and other malware variants have infected health care organizations, as well as other private and public organizations, throughout the world. This form of malware uses encryption to essentially disable software-based devices and systems.
Encryption is a way of making data available only to parties that hold an appropriate “secret” or key. Encrypting data for storage (“at rest”) and transmission (“in transit”) are accepted best practices across industries. What ransomware programs do is forcibly encrypt data without the owner’s consent. This makes the data inaccessible to normal users. In the case of ransomware, hackers request payment, often in Bitcoin (a virtual currency that is difficult to trace), in exchange for a decryption key that will allow victims to regain access to their data.
In reality, though, paying a ransom does not guarantee that functionality or data will be restored. In at least some attacks that have been characterized as ransomware, systems have instead been infected with a wiper virus that destroys, rather than encrypts, the victim’s files. Also, some advanced ransomware reportedly has rendered certain devices useless, requiring device or hard disk replacement. (It is recommended that organizations faced with a ransom demand contact their local Federal Bureau of Investigation office for guidance.)
The Effects on Patient Care
In a health care environment, a malware attack can significantly impact patient care on multiple fronts.
Most notably, malware can render health IT systems unusable. This includes electronic medical records and other clinical systems, as well as administrative, email, ordering, inventory and materials management, financial information and scheduling systems.
Similarly, an attack can prevent access to patient data and records, in some cases even affecting access to online backups. Malicious software likewise can affect the functionality of hospital workstations and networked medical devices.
Less obviously, malware can affect building and infrastructure systems (e.g., heating, ventilating, and air-conditioning). Also, it can disable third-party services – such as dictation services or other web-based services – that have been affected by the attack. Or it could disrupt the supply chain for drugs, supplies or devices.
Consequences for health care facilities can include being forced to alter workflows (e.g., reverting to the use paper records), cancel procedures or even close entire care units. Additionally, equipment and systems can be damaged and sensitive data can be exposed. All such outcomes can have significant financial implications. Ultimately, the disruptions can compromise or delay patient care, leading to patient harm.
Tips for Being Proactive
ECRI Institute’s full report, published in November, details 39 distinct steps to help health care facilities address the threats associated with ransomware and other malicious software programs. Chief among the recommendations, according to Juuso Leinonen, a senior project engineer in ECRI Institute’s Health Devices Group, are three actions for senior leadership:
Define high-level security goals for the organization, and institute a practical plan for achieving those goals.
Allocate appropriate resources – in terms of people and budget – to the ongoing management of cybersecurity efforts within your organization.
Facilitate collaboration across departments. Cybersecurity threats are not just an IT problem, particularly in health care organizations.
In fact, staff at all levels of the organization have a role to play. Clinical engineering and IT staff, for instance should work together to:
- Identify and address medical device vulnerabilities.
- Maintain accurate medical device software and network connectivity information, including details about which devices and systems include protected health information (PHI).
- Frequently back-up data from IT assets and test recovery system functionality.
- Apply validated software updates to medical device systems, when practicable.
Additionally, all personnel should follow security best practices, as outlined by the organization’s IT department. For example, staff and other personnel should be instructed:
- Not to click on links or attachments in suspicious emails.
- Not to use computer-like medical devices for email or web browsing. (Medical devices should not be used to access the Internet except as part of a normal workflow.)
- To follow organizational policies regarding the use of USB drives (e.g., thumb drives).
- To report any identified issues with networked devices (e.g., computers, workstations) to the IT or clinical engineering help desk.
In addition to the discussion in its “Top 10 Health Technology Hazards” report, ECRI Institute has published a free public resource – Ransomware Attacks: How to Protect Your Medical Device Systems – to aid health care facilities in tackling ransomware with medical devices.
Stay tuned for the next issue of TechNation, where more hazards from the list are uncovered.
This article supplements ECRI Institute’s Top 10 Health Technology Hazards for 2018. An executive brief of the report can be downloaded from ECRI Institute as a free public service. The full report, which includes detailed problem descriptions and recommendations for addressing the hazards, requires membership in certain ECRI Institute programs or separate purchase. For more information, visit www.ecri.org/2018hazards, or contact ECRI Institute by telephone at 610-825-6000, ext. 5891, or by email at clientservices@ecri.org.