Hostage crisis? Ransomware is a threat that demands disaster planning

Considering the growing threat of ransomware in healthcare, organizations need to plan for the day their data become hostages, according to new research from Marshall University. Training and maintaining “digital hygiene” can not only reduce the likelihood of an attack, it also may reduce the financial and operational impacts of an incident.

Researchers—led by Nikki Spence, MS, an alumnus of the health informatics program at Marshall in Huntington, West Virginia—published a literature review of 74 sources from between 2005 and 2017 in the Summer 2018 edition of Perspectives in Health Information Management, a peer-reviewed research journal of the American Health Information Management Association (AHIMA) Foundation.

“Hackers have found it easy to attack hospitals with ransomware because of hospitals’ rapid adoption of IT without a concomitant increase in the number and sophistication of IT support staff,” wrote Spence et al. “This IT adoption occurred after the government allocated funds for the Meaningful Use program, which encouraged the use of electronic health records (EHRs). With the Meaningful Use incentives, EHR utilization increased from 9.4 percent in 2008 to 96.9 percent in 2014.”

That massive increase in health IT utilization in a relatively short time ensured security deficiencies, which may now open systems up to cyber criminals.

“[I]f a ransomware attack is successful, healthcare providers can face substantial financial and even clinical consequences,” Spence and colleagues wrote. “Proper risk mitigation and disaster recovery are crucial to reduce costs and the likelihood of data loss. During a ransomware attack, information systems are shut down, and staff members’ work is hindered by the denial of access to crucial information systems that they rely on for decision making.”

Damages can extend to software, hardware and EHR records, with servers often rendered useless by malware. Still, the authors state, such security incidents could lead to patient mortality—a “worst case” scenario that has led the FDA to begin coordination with other federal agencies to respond to such incidents.

“[R]ansomware attacks and variants [have] increased substantially in recent years,” Spence et al. wrote. “Healthcare facilities have become a significant target for these attacks, and in response to this increase, it is crucial that they develop a proper disaster recovery plan and adequately educate their users on information security. With proper planning in place, a healthcare facility is not only more likely to survive an attack but also more likely to decrease costs associated with an attack and to mitigate the risk to its reputation.”

""
Nicholas Leider, Managing Editor

Nicholas joined TriMed in 2016 as the managing editor of the Chicago office. After receiving his master’s from Roosevelt University, he worked in various writing/editing roles for magazines ranging in topic from billiards to metallurgy. Currently on Chicago’s north side, Nicholas keeps busy by running, reading and talking to his two cats.

Around the web

The American College of Cardiology has shared its perspective on new CMS payment policies, highlighting revenue concerns while providing key details for cardiologists and other cardiology professionals. 

As debate simmers over how best to regulate AI, experts continue to offer guidance on where to start, how to proceed and what to emphasize. A new resource models its recommendations on what its authors call the “SETO Loop.”

FDA Commissioner Robert Califf, MD, said the clinical community needs to combat health misinformation at a grassroots level. He warned that patients are immersed in a "sea of misinformation without a compass."

Trimed Popup
Trimed Popup