By Greg Slabodkin
There is a ransomware epidemic spreading across the health care industry, encrypting computer files and holding health data hostage in return for ransom. Other industries are vulnerable to this file-encrypting malware, but hospitals, in particular, are being targeted by cybercriminals.
Earlier this month, the WannaCry ransomware compromised more than 300,000 computers worldwide in at least 150 countries, paralyzing computer systems at medical facilities throughout the United Kingdom. Likewise, a devastating April 9 ransomware attack on the Erie County Medical Center brought home to Western New York this growing cyberthreat.
The ransomware variant that hit ECMC last month is not linked to the malware variant that hit health care organizations globally. However, the CEO of GreyCastle Security, the firm the hospital hired to help restore ECMC’s systems, has called the Buffalo hospital’s incident “one of the largest attacks in history.”
The attack on ECMC was so devastating that it took weeks for the 602-bed hospital to return its information systems to operation. Now, more than six weeks after the incident, the hospital’s systems are still not fully operational. ECMC officials insist that at no time were medical records compromised or was patient care or safety put at risk.
To its credit, ECMC made the decision not to pay the ransom demanded by cybercriminals. Still, holding valuable health data hostage with ransomware, cybercriminals have created a lucrative market for personal information that is even more profitable than other malware. The question confronting the health care industry is: to pay or not to pay the ransom?
The stakes are high for health care organizations hit by ransomware, with data for thousands of patients potentially gone forever. The loss of that information could be devastating not only for the organizations involved but for the individuals whose lives are in their care. “You take their data away and it literally threatens lives, patient safety, and patient care, so they are much more likely to pay a ransom,” said GreyCastle Security CEO Reg Harnish.
In fact, hundreds of millions of dollars have been paid quietly, despite the fact that there’s no guarantee that once health care organizations pay the ransom that they will actually get their data back. These are, after all, criminals.
Health care as an industry needs to make the decision not to give into the demands of cybercriminals.
A “no concessions” policy with regard to data hostage-takers is the most sensible approach for protecting health information from the threats of ransomware. Only through a united front against ransomware will there be a chance of dissuading this kind of criminal activity.
Nonetheless, given the inherent value of patient records, the ransomware epidemic will unfortunately continue to ravage health care, unless and until cybercriminals no longer have the financial incentive for taking data hostage in the first place.
Greg Slabodkin, of Buffalo, is managing editor of the online trade publication Health Data Management.