Ransomware complicates healthcare cybersecurity

Concerns about cybersecurity have grown since US patient health data went digital in 2014, but ransomware attacks present a whole new category of threat.

With the transition to electronic health records (EHRs) providers and insurance companies are often criticized for inadequately securing digital health data. As the story usually goes: The healthcare industry is busy focusing on patient care, so cybersecurity has been lax.

The result has been record numbers of health data breaches and hacking events, especially in the past three years. The industry got a wake-up call in 2015 when 113 million patient records were hacked, mostly through three massive data breaches at Anthem, Premera Blue Cross, and Ecellus Health Plan. While many fewer patient records were compromised in 2016 (just 16 million), the number of providers affected rose by 320 percent from the previous year.

2016 was also the first time a hospital was struck by a ransomware attack. As we saw this week, ransomware can restrict providers’ access to health data and limit their ability to deliver care. The cyberattacks beginning Friday forced Britain’s public health system to send patients away because providers couldn’t access their digital records.

Transmitted via email, the ransomware called WannaCry has spread across 150 countries since Friday and affected more than 200,000 computers across a range of industries. But the impact in healthcare may be the most devastating, as emergency rooms in Britain were forced to divert people seeking urgent care.

Ransomware attacks like WannaCry present a whole new category of threat compared to traditional health data cybersecurity concerns. Prior to ransomware, hackers sought access to patient data as an easy and lucrative form of identity theft. Information like social security, insurance and medical ID numbers fetch high prices on the black market where they can be used for medical fraud. Knowing someone’s address, diagnoses and physical characteristics, thieves can falsely bill insurance companies for procedures that were never done or use the information to order and illegally re-sell prescription drugs.

The recent cyberattacks at UK hospitals presented a different problem based around losing access to patient information. Victims of the ransomware attack were confronted with a pop-up window saying their files are encrypted until they pay $300. As the message reads, “You can decrypt some of your files for free. But if you want to decrypt all your files, you need to pay. You only have 3 days to submit the payment. After that the price will be doubled.”

Instead of stealing patient information for medical fraud, ransomware exploits providers’ reliance on EHRs to demand payment. According to England’s National Health Services, at least 16 hospitals were affected but “at this stage we do not have any evidence that patient data has been accessed.”

Ransomware is an unwelcome reminder that digital health data is vulnerable to cyber attacks. While data breaches have always been costly and a nuisance, with ransomware they can be life-threatening. US Senator Ben Sasse captured the gravity of the situation in an interview with NPR. "This is big: around the world, doctors and nurses are scrambling to treat patients without their digital records or prescription dosages, ambulances are being rerouted, and millions of people's data is potentially exposed. Cybersecurity isn't a hypothetical problem – today shows it can be life or death. We'll likely look back at this as a watershed moment."