A Ransomware Horror Show is Haunting Healthcare

Halloween is just around the corner, and October started out with some pretty scary stuff. 2019 has already been a particularly terrifying year when it comes to ransomware attacks. Depending on how long you have been following this blog, you may recall the so-called “Ransomware Explosion” of 2016. At that time, five healthcare organizations were hit by ransomware attacks in a single month and the FBI reported a record 321 attacks in a period of only nine months, totaling $57 million in ransom payments.

Well, if you thought that was bad, you might want to buckle up… because 2019 has been so much worse than 2016 that the whole “Ransomware Explosion” label now feels like it was premature. After all, if 2016 was an “explosion,” then what are we supposed to call the current situation? Because this year has truly been a horror show of unprecedented proportions when it comes to ransomware attacks, and some of the scariest incidents have recently been haunting organizations in the health care industry like a swarm of wrathful ghosts.

With just a few months left to go in 2019, this has already been a horrific year overall, with a staggering 621 ransomware attacks reported between January and September of 2019—and these numbers only include attacks on hospitals, schools, and government entities. If one were to add in attacks on private businesses, the total would easily double the record of 321 attacks that were reported during the 2016 “Ransomware Explosion.”

The worst of this year’s attacks happened only recently, when ten hospitals (three in the state of Alabama and seven in Australia) were all hit by ransomware on October 1, 2019. For these ten hospitals, the result was altogether crippling—completely shutting down their networks and locking them out of their data—to the point that they had no choice but to turn away all but the most critical patients and divert local ambulances to other hospitals. At the Alabama hospitals, even some critical and emergency room patients had to be transferred (once stabilized, of course) to other facilities.

Needless to say, the situation got pretty desperate.

Paying the Devil His Due

The board members of DCH Health System, which is the governing body for the three affected Alabama hospitals, faced the same tough decision of all ransomware victims—whether or not to pay up. The devil may always demand his due, but the decision to pay it is up to you. There are, of course, arguments to be made for either course of action. When it comes to which is recommended, it depends a lot on who you ask.

If you were to ask a representative of law enforcement (like, say, the FBI), he/she will tell you that their official stance on the matter has always been and continues to be that people should refuse to make ransomware payments. The thinking behind this policy is that if everyone stops paying, then ransomware will stop being lucrative for criminals and they will stop using it (or, at least, not do it as often). For the victim, of course, not paying also means dealing with the monetary cost and extended down time of rebuilding an entire network and recovering all the lost data (often from scratch, if not backed up properly). Law enforcement agencies tend to focus mostly on prevention and security. They may advise people not to pay, but they also cannot legally stop them from doing so.

On the other hand, if you ask an IT professional or private sector cybersecurity expert, he/she will most likely tell you that paying the ransom is the fastest and safest way to get your system back online with all of its data intact. Why? Because cybercriminals who use ransomware almost always provide the decryption key once they have been paid. It may seem odd to expect criminals to honor their word but, when it comes to ransomware, they do. They know that if victims believe they are unlikely to receive decryption keys after the ransom is paid, then they might choose instead to take the nonpayment course of action recommended by law enforcement. And cybercriminals definitely don’t want that.

The choice made by the DCH Health System board was to pay the ransom (the exact amount paid is not available at the time of writing). After the bitcoin was sent, as per the cybercriminal’s instructions, they received the necessary decryption keys almost immediately. As a result, all three of the affected hospitals in Alabama are now back up and running with their data restored and systems online.

It is doubtful anyone will be surprised if (when) the seven afflicted hospitals in Australia end up doing the exact same thing.

Should Health Care Practices Be Scared?

The continued increase in the frequency of ransomware attacks, for private medical practices, is really only something to be afraid of if you are not using a cloud-based EMR/PM solution. For those with onsite infrastructure, a ransomware infection can be crippling. Cloud-based solutions, on the other hand, remain unaffected even if your entire onsite network is locked down. All that is needed in order to get up and running is a new/uninfected computer with an internet connection. Since, with a cloud-based system, your PHI data is not stored on your computers or onsite servers, there is no need to worry about dealing with data recovery, corruption or loss if hit by a ransomware attack.

The ideal situation, obviously, is to avoid becoming the victim of a ransomware attack in the first place. The best way to do this is to make sure you and your staff are following the best practices for data security. For a plethora of information on maintaining better levels of data security for your private medical practice, check out our cybersecurity blog list.

In all likelihood, this ransomware horror show is far from over and the worst may be yet to come. Like a masked psychopath in a slasher film, ransomware will always rise from the grave to wreak more havoc and destruction. In fact, the FBI recently issued a Public Service Announcement that warns of even more ransomware attacks to come.

If you would like to learn more about how Nextech’s suite of secure, HIPAA-compliant, cloud-based solutions can help protect your practice against the horrors of ransomware, contact our team at 800-868-3694.