Removing outdated systems and using offsite backup strategies are keys to protecting a health system from ransomware attacks, which are on the rise.
Make no mistake—hackers are after your healthcare data. Healthcare data is particularly valuable to cyber criminals because birth dates, Social Security numbers, and other medical information can be used to set up new identities and credit accounts. In a ransomware attack, the 24/7 nature of health systems means that executives are more likely to pay a ransom, although there is no guarantee hijacked information will be unlocked.
According to Symantec, the average ransomware attack netted $1077 last year, a 266% jump from 2015. This year alone, the WannaCry ransomware attack crippled thousands of companies in 150 countries, and caused significant disruption to the National Health Service in the United Kingdom. Another ransomware attack in late June hit computers around the globe, including the pharmaceutical company Merck. Both of these incidents targeted a vulnerability in Microsoft Windows for which a patch was issued.
The following 4 tips will help protect healthcare IT systems.
1. Plug security loopholes. This is easier said than done. A typical healthcare system employs hundreds of IT systems responsible for everything from patient records to lab results, imaging, bed management, communications, and much more. Time is limited, and IT staff get stretched to the breaking point handling the crisis of the day, much less routine maintenance. So, health systems must have an asset and technology allocation plan, or they should consider outsourcing the day-to-day maintenance of certain systems.
2. Retire outdated or legacy technology systems. Older IT systems are more vulnerable to attack because of weaker security protocols or overlooked maintenance that could be caused by software manufacturers quitting support for outdated technology. How many electronic medical records (EMR) systems have you been through? How about imaging, labs, or secure email systems? Hackers work at the intersections between IT systems, testing for vulnerabilities. Retiring older technology not only saves a health system money, it also can make for a safer information environment.
3. Employ multiple backup strategies. A single backup strategy is not only insufficient, it also could exacerbate an attack. Resilience features such as replication work fine when a single piece of hardware fails but offer no protection against deliberate corruption. In fact, de-duplication devices resemble network file servers, making them prime targets for ransomware attacks. The gold standard of backup must include a copy to offsite tape in a fire safe with the write-protect switch set or other secure offline media. While it may be considered old school, ransomware cannot affect data that’s not online. We recommend 2-tier backup — a first copy that is online for ease of restore, but that is then copied to secure offsite, offline media.
4. Consider an independent clinical archive. Reducing the overall number of technology systems and application programming interfaces (APIs) connecting them will reduce the chances of a successful cyberattack. Often, health systems keep around otherwise obsolete EMRs and other clinical and administrative applications because so little information was transferred from the older systems to the latest ones. However, that information has diagnostic value or may be required to be kept for a certain amount of time to adhere to regulatory guidelines. An independent clinical archive (ICA) not only has inbuilt protection capabilities, such as independently written multiple copies and encryption, it also serves as a vendor-neutral repository of information from these systems, allowing them to be retired. Information stored in an ICA can become part of the patient record without the need for providers to log into multiple systems.
In the first 6 months of 2017, 149 healthcare data breaches have been reported to HHS. While only one-third of breaches involved hacking/IT incidents, these represent 60% of victims impacted, some 1.6 million individuals. One ransomware attack involved 500,000 records.
Healthcare information security will continue to dominate headlines until the industry takes concrete steps to curb incidences of ransomware, hacking and other data breaches.