Ransomware: it’s back and worse than ever

WRITTEN BY DR. ERIC CADESKY AND STAN SHAW ON AUGUST 8, 2019 FOR CANADIANHEALTHCARENETWORK.CA

This article was originally published at CanadianHealthcareNetwork.ca, the online home of the Medical Post, at http://www.canadianhealthcarenetwork.ca/healthcaremanagers/technology/ransomware-its-back-and-worse-than-ever-39081, and has been republished here with permission.

It’s a typically busy day as you listen to the patient in your examination room while the area outside is full of others waiting to be seen. Your medical office assistant suddenly interrupts, a worried look on her face. Stepping into the hallway, she tells you that her reception desktop computer and the clinic phone system have suddenly stopped working. You check the screen and read the message: the computer has been locked out and all data and backups will be destroyed in three days unless ransom is paid. You quickly look at your own laptop, the one that you were just using to enter your patient’s history into the EMR and see the same message; it now displays on all your office’s computers.

Is this scenario realistic?

Our perception of risk is more emotional than rational, but there is reason to believe that doctors are being targeted for profit. In April 2019, a two-physician clinic in Michigan became the first healthcare provider in North America to permanently close its business after all records were destroyed due to a ransomware attack. Four other healthcare providers in Michigan were also attacked in early 2019 including one hospital with 40,000 patient records.

On June 19, 2019 five US healthcare providers in Colorado, Boston, New Orleans, New York and California reported ransomware attacks over a period of seven days. The previous week, a medical specialist clinic in Ohio paid $75,000 US to recover from a ransomware attack that had infected all of their systems.

On June 21, 2019 Marin Community Clinics in California were hit by ransomware extortionists, shutting down clinic systems for over three days. The clinics recovered only after they paid extortionists an undisclosed amount.

During the same period, multiple cities and municipalities were hit as well, including Stratford Ontariothe entire city of Baltimore, the Florida cities of Riviera Beach, Lake City and Key Biscane,  the Nation Municipality in Ontario, and LaPorte County in Indiana. Recovering from these attacks has been expensive, with reported costs ranging from $130,000 to $600,000 US. The cost to the city of Baltimore was in excess of $18M.

These are not isolated cases.

In May 2019, a worldwide insurance firm reported that the number of ransomware attacks on its clients increased 105% in one year. A June 2019 report from a cybersecurity group found that, compared with other malware, ransomware had increased from 9% to 24% in Q1 2019 compared with the previous quarter.

Overall, the healthcare industry was the most heavily targeted industry in 2018. With respect to ransomware, healthcare organizations worldwide were the victim of 34% of all attacks last year, more than double than that of other sectors such as financial institutions and professional services.

In Britain, it is now so serious that on July 2, 2019, the London-based Institute of Global Health Innovation issued an urgent warning to the House of Lords that National Health Service (NHS), is vulnerable to cyber-attack and must take steps “to defend against threats which could risk the safety of patients”.

Many of the above attacks were launched through email containing dangerous links or email attachments.  The nature of these phishing attacks are becoming very sophisticated. Carefully crafted messages being sent to potential victims these days are becoming difficult to detect. In June 2019, at least four hospitals in Romania were hit by cyber-attacks using infected email attachments disguised as invoices and plane tickets.

However, extortionists do not always need to use ransom software in order to launch an attack. In February, computers systems at CarePartners, a health provider in Ontario were hacked, exposing medical and financial records of at least 80,000 patients. Extortionists then threatened to release the data to the public with decryption keys that would allow it to be read by anyone unless a ransom of $18,000 was paid.

Many factors contribute to healthcare being a major ransomware target. Frequently cited are:

  • A chronic lack of funding for information security.
  • The value of medical data and potential for a privacy breach.
  • The impact on patient care if the problem is not rapidly resolved.
  • An immediate, lucrative, and difficult to trace financial reward for extortionists if a ransom is paid.

The situation in Canada

Provincial health authorities are taking the ransomware threat seriously. Significant efforts are underway in hospitals and public institutions the past several years to ensure appropriate IT safeguards are in place. This includes raising staff awareness to protect themselves from phishing and social engineering through training and periodic updates.

However, ransomware is a serious risk not only in hospitals and public institutions, but in private medical clinics as well.  Where can physicians in clinics turn to for help?

As an example of what must be considered in provinces across Canada, over 5,000 physicians in British Columbia use electronic medical records (EMRs) in medical clinics every working day. This does not include clinic support staff and other health care professionals who also access these systems. However, unlike publicly funded hospitals and health care institutions across Canada, many GP and specialist private clinics lack IT security expertise and staff training needed to mitigate the risk of a ransomware attack, or rapidly recover from it. The problem of protecting patient health information across hundreds of private clinics in B.C., let alone the rest of Canada, is immense.

What can be done: A call for action

The ransomware threat to patient safety presents both a challenge and an opportunity for healthcare IT leadership. Expert support and training is needed in order to reduce the risk of private clinic systems being breached and physicians locked out of their data.

When the city of Stratford, Ontario was recently hit by ransomware, the mayor called for a national strategy for municipalities to improve cyber-security.  We believe that a similar healthcare information cyber-security strategy would be the most effective approach. While privacy legislation requires it, there does not exist a comprehensive national or provincial strategy to date that is designed to support and protect personal information in private medical clinics. Yet, similar to thousands of small municipalities across the country, many clinics need expert resources to assess risks, create effective safeguards, and provide cyber-awareness training to staff in order to defend themselves.

In the meantime, leadership begins with you. Ransomware will not wait to deliver a payload. And, when it comes to ransomware, prevention is much easier than treatment. The time to make sure that your staff are trained, and your clinic has basic security and disaster recovery measures in place, is now.

Your own in-clinic efforts can make a difference.  An example is how Maffi Clinics, a group of plastic surgery clinics in the US that was hit with ransomware in March 2019. Unlike many similar cases, they recovered within hours. How did they do it? The clinic already had strong security response procedures in place.

Here are some suggestions on how to get started:

  • The RCMP has some excellent recommendationsthat can help protect personal and business computer users.  Doing so will dramatically reduce your risk of becoming a victim of ransomware.
  • Consider the implications of Breach Notification, and make sure you know what steps you should take if an extortionist launches an attack against your clinic. It’s mandatory in most provinces across Canada.
  • Read what the CMPA (Canadian Medical Protective Association) has to say about ransomware preparedness.
  • Review applicable provincial and national privacy legislation, and how it may affect you. Check that your clinic has adequate insurance to cover potential business losses due to a ransomware attack.
  • Above all, focus on awareness and training: Make sure your staff knows the risks involved, and what to do to prevent ransomware from hitting your clinic.  The most common contributor to successful phishing attacks is a lack of knowledge and human behavior.  Create an intelligent human firewall by nurturing, through careful training, a culture of privacy and security.

Dr. Eric Cadesky is a family physician in Vancouver. He is the past-president of Doctors of BC.

Stan Shaw was the Regional Lead for Vancouver at the Physician Information Technology Office (PITO), established through Doctors of BC.  He is the founder of Corban Technology Solutions, a healthcare privacy and security consultancy firm in Vancouver.

 

 

You can also find more information on 2Ascribe’s web site regarding privacy breeches and legislation at https://www.2ascribe.com/category/articles/privacy-legislation.

2Ascribe Inc. is a medical transcription services agency located in Toronto, Ontario Canada, providing medical transcription services to physicians, clinics and other healthcare providers across Canada. Our medical transcriptionists take pride in the quality of your transcribed documents. WEBscribe is our client interface portal for document management. 2Ascribe continues to implement and develop technology to assist and improve the transcription process for physicians and other healthcare providers, and recently introduced AUTOfax. AUTOfax works within WEBscribe to automatically send faxes to referring physicians when a document is signed off by the healthcare professional. As a service to our clients and the healthcare industry, 2Ascribe offers articles of interest to physicians and other healthcare professionals, medical transcriptionists and office staff, as well as of general interest. Additional articles may be found at http://www.2ascribe.com.

 

This entry was posted on in Business, Privacy Legislation.

Leave a Comment

Your email address will not be published. Required fields are marked *

*