Partners: Ransomware Attack On Hospital Shows Need For Broader Security Strategy

Solution providers say the recent high-profile ransomware incident at a California hospital should be a warning sign for health care and other businesses to develop a more comprehensive security strategy, one that moves beyond protecting against information theft to also preventing unauthorized changes in information or loss of access.

The ransomware attack hit the Hollywood Presbyterian Medical Center on Feb. 5, when employees first noticed problems with the network. Since then, the hospital has been unable to access its network, any of its electronic health records or electronic communications, forcing it to revert to paper, telephones and fax machines to keep the medical center up and running.

Some reports said the incident was caused by a phishing attack, but those reports were not confirmed by the hospital.

[Related: Partners Stand Behind Tim Cook Letter Saying Apple Won’t Allow FBI Backdoors Into Encrypted iPhones]

id
unit-1659132512259
type
Sponsored post

In 2015, there were multiple mega breaches that struck the health care industry, though most were focused around the insurance industry, including such businesses as Anthem, Premera and Carefirst. According to the Privacy Rights Clearinghouse, there were 53 reported breaches in the health care and medical provider sectors (with an additional 36 in financial and insurance services).

However, this recent high-profile incident shows a different tone of attack, one that requires a much more comprehensive security strategy in health care, said Dan Berger, president of Redspin, a Carpinteria, Calif.-based security solution provider that focuses on the health care vertical. While many security strategies focus on stopping hackers from accessing information, Berger said it's important for health care organizations to focus on what he called the "full definition" of security, including information integrity and availability.

"We're starting to see the integrity and the availability of that triad is actually becoming more scary because then you're talking about hackers getting in and maybe changing medical records instead of stealing them, or in this case, they made them unavailable," Berger said. "Losing your personal data is one thing, but disabling the hospital from being able to operate is another."

Reports put the initial ransomware demands at around $3.4 million in equivalent Bitcoin, but the hospital said Wednesday that the demands were actually for around $17,000 in Bitcoin. The hospital said it has decided to pay the ransom, as it was in the "best interest of restoring normal operations."

Ransomware, in particular, is a trend that partners need to be paying attention to, Berger said. According to a recent study by Kaspersky Lab, ransomware was significantly on the rise in 2015, doubling in the number of attacks throughout the year. Berger said he saw sporadic ransomware events throughout the year, but none that are this high profile. However, he said he expects that will change as other hackers look to capitalize on the payout.

"I have a feeling this is now the tip of the iceberg," Berger said.

One challenge is that the health care industry has historically underinvested in security technologies compared to other verticals, such as finance, Berger said. However, with the mega breaches in insurance, more local events such as this hospital ransomware attack, coupled with a rigid regulatory environment, that trend is starting to change, he said.

"It's improving. It's definitely improving," Berger said. "We've seen some increase in spending in the last 12 months and I think it's going to continue until we get the industry up to par with someone like the financial industry."

Berger said he recommends health care clients look into business continuity technologies that might help in the event of a ransomware attack. He said hospitals and other health care organizations should have a procedure in place where, if this type of incident were to occur, they would know how to remediate it.

Berger also recommended that health care organizations work to train employees on how to spot phishing attacks.