Remember the days of healthcare staff pulling paper records out of files, trying to decipher doctors’ handwriting and faxing info back and forth? It seems archaic, but the fact that this was status quo just a decade ago just goes to show how quickly and completely the healthcare system has been transformed, thanks to digitalization and the rise of electronic medical records.
Hospitals, healthcare providers and patients now have easy access to the data they need to provide better care to patients and make their operations more efficient than ever. Doctors and hospital staff have become reliant on being able to access data instantly, in or out of the medical facility, just by logging into a secure portal via computer, tablet or smartphone.
Unfortunately, malware writers have learned that hospitals’ dependence on computerized systems makes them a soft target. Medical identity theft has doubled in the last 5 years, to 2.3 million adult victims in 2014, says the Ponemon Institute. Just since February, at least a dozen hospitals have been targeted by ransomware, a type of malware that encrypts and locks access to data until the data’s owner pays a ransom, usually in bitcoins. Ransomware attacks not only threatens hospitals’ immediate operational efficiency, but also their ability to care for patients, their financial assets and their reputation.
As with other viruses and types of malware, ransomware’s point of entry into a system is usually human error. Phishing emails entice an unsuspecting (and possibly poorly trained) employee into clicking on a link, which allows the malware to enter the network and begin doing its damage.
High-profile ransomware attacks hit the news
The first high-profile attack this year was on Hollywood Presbyterian Hospital, which paid nearly $17,000 (U.S.) in ransom in early February to regain access to its medical records. Since then we’ve seen ransomware attacks on hospitals in Canada, Germany and several U.S. states. The Ottawa Hospital Network fared better than Hollywood Presbyterian – because it had a strong backup system it was able to restore its data without having to pay a ransom.
MedStar, a health system in the Washington, D.C., area, isn’t saying it was hit with ransomware on March 28, only that a virus had disabled access to its patient data. However, hospital staff told reporters about a ransom-demanding popup message demanding payment in bitcoins. Worse yet, as a nurse told the Washington Post, because the system outage delayed lab results, one patient stayed on a powerful antibiotic long after it should have been discontinued.
Norfolk General Hospital’s website was hacked to spew out ransomware to anyone who visited the site. Fortunately, the hospital was alerted quickly and took its systems offline before further damage was done to its reputation.
In addition to Hollywood Presbyterian, Ottawa, MedStar and Norfolk General, a quick glance at media reports uncovers many other healthcare organizations that have been hit with ransomware attacks this year, including:
- Three California hospitals owned by Prime Healthcare Services (Alvarado Hospital Medical Center, Chino Valley Medical Center and Desert Valley Hospital)
- Kings Daughters Health in Indiana
- Methodist Hospital in Kentucky
- Los Angeles County health department
- At least two German hospitals (Lukas Hospital and Klinikum Arnsberg Hospital)
- Titus Regional Medical Center in Texas
Given how many attacks we’ve already seen this year, I wouldn’t expect them to slow anytime soon.
Mobile devices and ransomware: What’s the threat?
So far, computers and workstations are a bigger threat than mobile devices for successful ransomware attacks, but don’t bet on that trend holding up. Because of a smartphone’s smaller screen, it can be hard to carefully read the text, plus we’re generally using them as we move through our days, halfway paying attention to what’s on the screen. This makes it very easy to accidentally click on a malicious link that pops up on a mobile device.
And hospitals know that they’re at risk: Only 1 in 4 healthcare organizations are very confident that their data assets are protected from unauthorized access via mobile devices, according to BlackBerry’s Mobile Risk Tolerance Survey from 2014. According to that same survey, 63% of healthcare organizations say that mobile devices are the weakest link in their enterprise security framework.
Hospitals also know that mobile devices also promise to be one of the best ways to improve collaboration and communication in healthcare. Enabling healthcare providers to securely communicate critical patient and operational information anywhere they are is a huge boost to patient care, hospital efficiency and staff satisfaction.
While there’s a lot that healthcare organizations can and must do to protect their data, the benefits of mobile healthcare – even (and maybe especially) of the BYOD variety – far outweigh the risks – from ransomware or other threats. And that’s something you can bet on.
Mobility gives healthcare organizations a way to efficiently deliver the best quality patient care. However, with so many issues to consider, how do decision makers create a solid game plan for adopting secure mobility in healthcare? The BlackBerry Guide to Mobile Healthcare is a great start. Get your free copy, just by filling out the form on this page.
Security standards around connected medical devices are woefully lacking, but that’s about to change. Don’t miss the unveiling of DTSec, the first consensus cybersecurity standard for medical devices with security and assurance requirements, by BlackBerry Chief Security Officer David Kleidermacher. It’ll happen May 23-24 at MEDSec 2016, the first international conference covering security and privacy for the Internet of Medical Things. Learn more and register today at MEDSecMeeting.org.