In October 2020, the University of Vermont (UVM) Medical Center suddenly began experiencing significant problems with its computer network. The IT staff at UVM sprang into action and soon discovered what they had feared – a file containing instructions for how to contact the creators of the problem. It was a carefully orchestrated cyberattack and the UVM Medical Center’s most critical systems were being held for ransom. A hospital ransomware attack had come to UVM.
Thankfully, the quick actions of UVM’s IT team localized the spread of the malicious software and hospital management chose not to pay the ransom. However, the impacts were far-reaching. Electronic health records (EHRs), payroll systems and other key elements of UVM’s network were knocked out for weeks. Surgeries were cancelled. Patients were sent elsewhere for treatment. Staff didn’t know which patients were scheduled for appointments, or when. After three weeks of working 24/7 to “scrub” the network – and an estimated $50 million in lost revenue – UVM was finally virus free.
Doug Gentile, MD, UVM’s chief medical information officer, summed up the experience and offered a warning for hospitals everywhere. “If cybersecurity isn’t one of your top two priorities, it needs to be. If you don’t have a very robust security profile, you’re likely to get hit.”
The Rise of Ransomware Attacks in the Healthcare
UVM’s story is not unique. In fact, the first reported ransomware attack way back in 1989 targeted the healthcare industry. However, hospital ransomware attacks and other cybercrimes have soared in frequency around the globe in recent months. A survey of IT professionals found that 34% of healthcare organizations worldwide were affected by ransomware during 2020. Another source has noted a 45% increase in attacks just since November 2020.
The same pattern is apparent in the United States. A study by Comparitech found that more than 600 healthcare organizations nationwide were hit in 92 separate ransomware attacks in 2020. Roughly 18 million patient records were affected and the combined cost of the hospital ransomware attacks was estimated at $21 billion. The healthcare industry is under siege and the challenge is daunting. Research commissioned by Sophos found that 41% of IT decision-makers surveyed expect to be attacked in the future and only 24% feel safe from future attacks.
Why Are Ransomware Attacks Targeting Hospitals?
The growing focus by cybercriminals on the healthcare industry is galling to many. After all, shouldn’t healthcare systems be afforded a certain degree of deference, something like a red cross on a battlefield? While some cybercriminal organizations appear to have scruples about such things, most do not.
The Ryuk group, for example, has been traced to one-third of the 203 million cyberware attacks known to have occurred in the U.S. in 2020. Healthcare organizations are among their targets. In the past three years, the Ryuk group has attacked 235 hospitals and made off with $100 million of ransom in the last year alone. They are just one of many players now in the game.
Sadly, hospital ransomware attacks are an especially attractive strategy for cybercriminals. The presence of so much sensitive patient information – including social security numbers – makes hospitals hard to resist. Plus, cybercriminals know that the stakes involved give them added leverage. According to Amar Yousif, the chief information officer at UTHealth in Houston, “Attackers understand that we’re talking about life and death. There’s a great incentive to just pay and get the thing unlocked so we can treat patients.”
3 Ways to Defend Against Hospital Ransomware Attacks
The attacks may be inevitable but the outcome is not. There are many things that hospitals can do to mount a formidable defense against ransomware attacks. Generally speaking, they fall into three categories.
Ransomware Defense #1: Employee Training
Organizations that educate employees about the hazards of cyberattacks – and how to resist them – are far less likely to be victimized. The security awareness training gurus at KnowBe4 found a way to measure the impact. KnowB4 found that computer-based training and simulated phishing tests can dramatically reduce the phish-prone percentage (PPP) of a user population over time. After 90 days of training, the PPP of test companies dropped by 60%. After 12 months of training and testing, the PPP rate was reduced an average of 87% from the baseline.
Ransomware Defense #2: Network Segmentation
In IT parlance, network segmentation involves dividing a larger network into smaller sections that have only limited amounts of inter-connectivity between them. Doing so effectively limits the attacker’s freedom of “lateral” movement within the network. Threats are easier to contain and data is easier to protect. Network segmentation also has the added benefit of improving network performance by reducing user congestion and tends to narrow the scope of audits and compliance requirements, making both less onerous.
Ransomware Defense #3: Back-ups
The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and Department of Health and Human Services (HHS) recently published a Joint Cybersecurity Advisory document entitled Ransomware Activity Targeting the Healthcare and Public Health Sector. One of their key recommendations focused on back-up strategies as a defense against hospital ransomware attacks. Specifically, CISA advised that healthcare organizations adopt a 3-2-1 approach to back-ups. That is, save three or more copies of all critical data in at least two different formats with one copy stored entirely offline – safely out of reach of cybercriminals.
Taylor Healthcare Is In The Fight Against Ransomware
Taylor Healthcare has long been a leader in communications products and services for the healthcare industry. This expertise extends to digital communications technologies. DowntimeDoc™, available only from Taylor Healthcare, is engineered to complement a hospital’s EHR during unscheduled downtime periods like those that result from a ransomware attack.
With DowntimeDoc, a hospital or clinic can maintain normal operations without sacrificing efficiency or the quality of patient care – regardless of the status of its network or power supply. Registrars can search patient records and print admissions packets while the admission, discharge and transfer (ADT) system is down. Nurses can print forms, wristbands and labels, complete with patient demographics and barcodes. Physicians can access condition-specific protocols and continue to provide the same level of care as if the network was still live. By providing an effective “fourth defense” against hospital ransomware attacks, DowntimeDoc is helping to tip the balance of power in the fight against cybercrime.