We tell our children, “Don’t take candy from strangers.” Today that advice must be extended to, “And don’t open attachments or click on links from strangers.”
Hospitals have been having a tough time lately with ransomware — a type of computer malware that restricts access to the infected computer system. It demands the user pay a ransom to the malware operators in order to remove the restriction.
MedStar, which operates the biggest chain of hospitals in the Baltimore-Washington area, on Monday temporarily shut down its network to prevent further spread of a virus, according to the company. The virus paralyzed some operations at Washington-area hospitals and doctors’ offices, leaving patients unable to book appointments and staff unable to get into their email accounts. The Associated Press reports that activity slowed as staff had to go back to paper charting. While patient care has not apparently been affected nor is patient data known to be compromised — the FBI is investigating.
Last month, Hollywood Presbyterian Medical Center paid $17,000 for a ransomware decryption key. Since then, there have been more reports about other hospitals being affected.
Hospitals are not only incredibly vulnerable to ransomware, but prime targets. Some forms of ransomware systematically encrypt files on the system’s hard drive, which become difficult or impossible to decrypt without paying the ransom for the encryption key. Others simply lock the system and display messages intended to coax the user into paying.
[lz_ndn video =30547740]
If a hospital chooses to pay the ransom, or negotiate terms for the release of its data, it will not be the first health-and-safety organization to do so. When a number of small police departments in Massachusetts, Tennessee, and New Hampshire were hit with separate ransomware attacks, all three paid between $500 and $750 to get their data back. Those departments paid because the data they’d lost was essential — and federal law-enforcement attempts to defeat the ransomware were unsuccessful.
Hackers have upped the ante, with hospital systems now their prime target.
Ransomware developers are going after businesses and organizations that are heavily data and document driven. Hospitals are considered critical infrastructure and their computer security is generally considered poor. Since these types of infections target documents, who better to attack than those who rely on them such as hospitals, lawyers, and architects. If any of these types of businesses have their documents encrypted, it could literally halt the entire operation of the company and potentially put them out of business.
Even scarier, for hospitals and medical practices — it literally puts patients at risk when doctors are unable to access patient records, radiology and lab test results.
It’s a fair bet that as ransomware attacks and attackers mature, these schemes will become more targeted. As that happens, I worry that attackers will take a bit more time to discern how much the data they’ve encrypted is actually worth — and precisely how much the victim might be willing to pay to get it back.
In other words, the ransom game has been ratcheted up a few notches.
An old-school solution is simply go back to paper charts, which is what it appears MedStar is doing while it gets its systems back up and running. Doctors hate computer charts. Those charts are known for their lack of “usability.” Physicians know that their acquisition has been driving the desire to optimize billing.
In addition, online records don’t improve patient safety, are costly in terms of money and time, and only give the illusion of communication between practitioners. This sort of extortion would go away overnight if we reverted — as the British have done — to paper charts. But given the investment that the U.S. government and hospital systems have made over the last decade – tens of billions of dollars — that just won’t happen.
As a practicing physician who is forced to use unwieldy electronic health records (EHR), I can dream.
Infections are inevitable. In hospitals, the number of entry points continue to expand and complexity continues to increase. Unfortunately, users will continue to be tricked into downloading and activating bad software and the “bad guys” will continue to adapt to more advances in protection.
Hospital IT is also notoriously inflexible. In one hospital system I work in currently, I often can’t find the decision maker on a case, let alone get customized solutions to my problems. Some hospital systems also rely on old versions of software and have multiple programs tacked onto their EHR — such as a radiology image viewer that only works on early versions of Internet Explorer.
The reflex response to these problems is to outsource all IT to a big vendor with a deep enough pocket to catch the trouble. But that’s really expensive. It may be too expensive today for cash-strapped hospitals.
Again, what really slows down hospitals is a high degree of attention to “cyber hygiene” — using cyber security best practices for anything and everything that connects to the web, including security in hardware, software and IT infrastructure, continuous network monitoring, and employee awareness and training — by everybody using computers. But since most hospitals have a hard time getting people to wash their hands before touching patients, cyber hygiene isn’t a fiscal and operational priority.
Robert Browning in his poem “The Faultless Painter” said, “Less is more.” Paper charts are looking better all the time.
Dr. Ramin Oskoui, a cardiologist in the Washington, D.C., area, is CEO of Foxhall Cardiology PC.