HEALTH CARE: THE CYBERSECURITY FRONTIER

Posted by on September 16, 2016

By:
Guest author: Dr. Susan Hoban

As networked healthcare information technology expands beyond medical records into the realm of medical device technology itself, customizing cybersecurity policies and procedures for Health IT becomes increasingly important and complex. Ubiquitous, networked medical technologies, such as smart pumps that monitor and deliver medication or internet-connected medical imaging devices, encompass diverse realms that must be considered together, such as distributed systems (“the cloud”) and embedded systems.

A new era of malware is now threatening Health IT systems, and the stakes are raised as the quality of care of patients is becoming increasingly dependent on these systems. Recently, the flavor of malware known as “ransomware” has been deployed against hospitals. Threat actors using ransomware take control of the victim’s system and demand payment for returning control to the user. Hospitals in Los Angeles and in the Washington DC metro area have reported being victimized by ransomware . Some hospitals have chosen to pay the ransom, because doing so was more efficient than sorting out how to defeat the attack .

Ransomware has been a malware threat for some time and has proven to be a lucrative business. In 2015, one family of ransomware is thought to have generated over $30 million dollars in ransom . Typically the ransoms are small enough for a single user to choose to pay (~$300), rather than losing access to their files. In the case of Hollywood Presbyterian Medical Center in California in March 2016, the ransom request was for $17,000, which the hospital paid to regain control of their files2. Targeting hospitals rather than individuals, however, raises the stakes beyond inconvenience and financial loss and presents a clear threat to the quality of care received by patients.

How can hospitals protect themselves against ransomware? The answer is the same for all potential targets: keep system patches and anti-malware up-to-date, and train employees to practice good cyber hygiene. For Pete’s sake, don’t click on that link.

You must be logged in to post a comment Login