Hastily built IT infrastructure invites ransomware attacks, so healthcare organizations better be ready

Considering the growing threat of ransomware in healthcare, organizations need to plan for the day their data become hostages, according to new research from Marshall University. Training and maintaining “digital hygiene” can not only reduce the likelihood of an attack, it also may reduce the financial and operational impacts of an incident.

Researchers—led by Nikki Spence, MS, an alumnus of the health informatics program at Marshall in Huntington, West Virginia—published a literature review of 74 sources from between 2005 and 2017 in the Summer 2018 edition of Perspectives in Health Information Management, a peer-reviewed research journal of the American Health Information Management Association (AHIMA) Foundation.

“Hackers have found it easy to attack hospitals with ransomware because of hospitals’ rapid adoption of IT without a concomitant increase in the number and sophistication of IT support staff,” wrote Spence et al. “This IT adoption occurred after the government allocated funds for the Meaningful Use program, which encouraged the use of electronic health records (EHRs). With the Meaningful Use incentives, EHR utilization increased from 9.4 percent in 2008 to 96.9 percent in 2014.”

That massive increase in health IT utilization in a relatively short time ensured security deficiencies, which may now open systems up to cyber criminals.

“[I]f a ransomware attack is successful, healthcare providers can face substantial financial and even clinical consequences,” Spence and colleagues wrote. “Proper risk mitigation and disaster recovery are crucial to reduce costs and the likelihood of data loss. During a ransomware attack, information systems are shut down, and staff members’ work is hindered by the denial of access to crucial information systems that they rely on for decision making.”

Damages can extend to software, hardware and EHR records, with servers often rendered useless by malware. Still, the authors state, such security incidents could lead to patient mortality—a “worst case” scenario that has led the FDA to begin coordination with other federal agencies to respond to such incidents.

“[R]ansomware attacks and variants [have] increased substantially in recent years,” Spence et al. wrote. “Healthcare facilities have become a significant target for these attacks, and in response to this increase, it is crucial that they develop a proper disaster recovery plan and adequately educate their users on information security. With proper planning in place, a healthcare facility is not only more likely to survive an attack but also more likely to decrease costs associated with an attack and to mitigate the risk to its reputation.”