Can hospitals survive the ransomware threat?

Computer networks at hospitals are vulnerable gateways to valuable and hyper-sensitive patient data. Hackers recognising this weakness are stepping up their game and refining their attack strategy to target hospitals and healthcare organisations. A recent rash of four separate attacks in Southern Carolina, California, Kentucky, and Canada marked a tipping point and catalysed the FBI into conducting a full probe into this escalating trend.

With more than four million instances of ransomware in the second quarter of 2015 alone and exponential growth predicted for this year, hospital IT departments can hardly keep their heads above water. The stakes are high and to survive the ransomware threat, hospitals need to double down on prevention, preparation and other ways to protect themselves.

Insufficient approach to security

Ransomware exploits the perfect storm of conditions in hospitals for financial gain. In 2015, a federal mandate in the U.S. passed, requiring electronic medical records (EMR) or electronic health records (EHR) to be implemented into personal health information (PHI) systems, eating into constrained IT budgets and available resources and spreading IT staff thin. With a forced focus on implementing access to electronic records and online systems, security concerns have remained secondary. Many hospitals still rely on dated systems and lack a sufficient approach to ensure cutting-edge cybersecurity.

Additional financial woes stem from higher industry competition, lower reimbursement rates and increases in overhead costs, leaving little room (or funding) left for a robust security program. Indeed, an increasing amount of U.S. hospitals are facing closure — but security has become an expense worth pursuing.

Life or death in the digital world

On the black market, a health record can be worth as much as 20 times more than a stolen credit card. Hospitals and the healthcare industry have become prime targets for ransomware hacks because everything from patient's confidential records to hospital revenue streams depend on unimpeded access by multiple parties, from doctors to nurses, billing departments to pharmacists. If they hope to survive a hacker attack, hospitals must have a plan. Similar to their work with patients, hospitals need to view their IT infrastructure from a life or death point of view. Here are a few ways hospitals can secure survival, mitigate damage and ensure business continuity in a world where ransomware attacks are on the rise.

Prevention – the basics

The basic steps for preventing all attacks are the same. Educate users about the current threat environment, provide examples of suspicious email links and attachments, and then test your user pool regularly for diligence. A hospital IT department can send out fake emails to capture user vulnerabilities and increase education tactics from there.

Another elemental step in preventing attacks is to keep all software up to date — that includes frontend and back-end software and virus definitions. Security fixes are released to address known threats and this means threats known to both the software manufacturer and the hackers looking to undermine them.

Preparation – dedicated security

Hospitals have security guards because relying on regular staff to guard the facility while tending their regular responsibilities would be ludicrous. IT is the same way. While all personnel, from the help desk staff to the CTO can be part of the solution, it is essential to have a separate and dedicated team whose sole responsibility is security. In the Office of Personnel Management (OPM) hack announced last year, the lack of a dedicated security team was identified as one of the key factors behind the breach. A dedicated security team can help the rest of the IT team to prioritise updates and patches because they know which security flaws are being exploited in a timely manner. More than anything, they will have plans in place for both preventing attacks and triaging the situation in case of an intrusion.

Beyond backups – operational resiliency

Today’s IT leaders are constantly asked to find new ways to deliver higher levels of service at lower costs and with fewer resources. Many current hospital systems rely on antiquated backup mechanisms and redundant infrastructure. This not only increases complexity and cost, but drastically limits IT’s ability to quickly respond to incidents, outages and security breaches.

To ensure recoverability from a security breach like a ransomware attack, it’s always advisable to make certain systems are backed up. But even this advice needs an update. Many organisations are moving to external Disaster Recovery as a Service (DRaaS) platforms to leverage the capabilities of cloud computing for both power and simplicity.

DRaaS is an active part of IT and security infrastructure. With services from simple backup to full server failover, organisations can and do find point solutions for their unique needs. One of the best parts for the healthcare industry is that DRaaS is capable of supporting HIPAA compliance with standard security features for access control and data encryption.

More recently, the category of DRaaS has expanded to include platforms that put many functions of IT resiliency in one place. These so-called hyper-converged solutions help institutions recover data quickly if it is lost, and stay operational in the process. Cloud-converged solutions take this one step further by eliminating the need for additional data-center or on-premise secondary infrastructure, putting all aspects of IT resiliency — data protection, disaster recovery, business continuity, testing and developing, data warehousing, analytics, archiving and compliance — in the cloud and available on demand, all from a single deduplicated copy. By supporting these non-production workloads and ensuring full IT productivity, cloud-converged platforms are an innovative way to reduce complexity and mitigate hospitals’ strapped IT budgets.

Back to business

The threats that ransomware imposes revolve around catastrophic loss — either financial or rooted in information loss — but by focusing on prevention, preparation and recovery hospitals can avoid the loss of productivity and damage to reputation that disrupts their important work. Strategic IT initiatives combining innovative technology, educated users and the power of cloud services to form comprehensive data protection, moves beyond DRaaS to provide the antithesis to growing threats of ransomware. This unique combination empowers organisations to get back to business faster and more efficiently if and when disaster strikes.

Todd Scallan, VP Products & Engineering, Axcient