Earlier this month, a Texas hospital was hit with a particularly loathsome virus. Leaders at Mount Pleasant, Tx.-based Titus Regional Medical Center found out on January 15 that a “ransomware” virus had encrypted files on several of the medical center’s database servers, blocking access to EMR data as well as the ability to enter data into the system.
In this kind of attack, the malware author demands a financial ransom to be paid for freeing up the data. TRMC didn’t disclose how much money the attacker(s) demanded, but it may have been an immense sum, because the hospital apparently thought that bringing in pricey security consultants and enduring several days of downtime was preferable to paying up. Although, they also probably realized the slippery slope of paying the ransom and also there’s no guarantee those receiving the ransom money will actually permanently fix the problem.
It would be nice to think that this was just a passing fad, but researchers suggest that it’s not. In fact, US victims of ransomware reported losses of more than $18 million in 14 months, according to an FBI report issued in June.
According to one news report, the average ransomware demand is about $300 per consumer. The amount demanded goes up, however, when business or government organizations are involved. For example, when a series of small police departments in Massachusetts, New Hampshire and Tennessee were hit with a ransomware attack tying up their key databases, they ended up paying between $500 to $750 to get back access to their data. One can only imagine what a savvy intruder familiar with the life-and-death demand for health information would charge to free up an EMR database or laboratory information system data store.
But the threat isn’t just to enterprise assets. Not only are hospital enterprise network attacks via ransomware likely to increase, these exploits could take place via wearables or medical devices in 2016, according to technology analyst firm Forrester Research. Such attacks don’t just use medical devices to reach databases; Forrester predicts that some ransomware attacks will disable the medical devices themselves.
Given how important mobile technology has become to healthcare, it’s worth noting that ransomware is increasingly targeting mobile devices as well. For example, a recent strain of Android virus known as Lockdroid ransomware is now afoot. While it has no direct healthcare implications, one of the things it does is threaten to send a user’s browsing history to friends and family unless they pay the ransom. The victim, who may get tricked into allowing malicious code to gain admin privileges on their device, could end up having their personal data — and perhaps data from an EMR app — sent wherever the attacker chooses.
It seems to me that the ransomware threat will push healthcare organizations to mirror their core data assets in new and heretofore unheard of ways. HIT departments will have to bring disaster recovery methods and network intrusion defenses to prevent the worst possible outcome — a hack that kills one or more patients — and quickly. Meanwhile, if a company specializing in protecting healthcare firms from ransomware doesn’t exist yet, I suspect one will exist by the end of 2016.