Hospital ransomware attacks up 113 percent in 2014 and accelerating
March 07, 2016
by John W. Mitchell
, Senior Correspondent
In an HIMSS session titled “Best Practices for Protecting Against Cyberattacks”, Mac MacMillan, CEO at Cynergis Tek, told a rapt audience at HIMSS 2016 that he has talked to more hospital boards in the last year about cyber security than in the previous 12 years. Chuck Kesler, chief information security officer at Duke Medicine, explained that these criminals don’t care that hospitals are doing good and saving lives.
According to the two, it’s not a matter of if hackers will get into a hospital’s data system, but when.
According to Kesler, “breaches are going to occur, you have to accept that." He said that it is vital that every hospital have a high-functioning system to detect and shut down a breach and to prevent data from being transferred out.
MacMillan said this is the most troubling aspect of recent attacks - the ease with which hackers are exporting large data files once they gain access.
“Somebody should be noticing that (in real time),” he said. “That’s a sign there aren’t good controls in place.” He likened the current-day hacker problem to The Great Wall of China. “The Great Wall didn’t protect China because it was obsolete by the time it was built and no one was watching. The bad guys just dug under and climbed over that wall.”
McMillan said that hospital records are especially attractive to data thieves because unlike other sources, hospital records contain all the key elements of a patient’s identity in one place. This includes social security number, credit card number and home address. He said that hackers who manage to steal millions of files can sell such records for up to $50 apiece.
In addition to file thefts, there is a dramatic uptick in ransomware attacks on hospitals in just the past three to four months. He noted that in 2014, ransomware attacks against hospitals increased 113 percent.
Most recently, Hollywood Presbyterian Medical Center paid $17,000 to hackers to get control back of some of its IT functions. But according to Kesler, the damage to a hospital’s brand from such negative publicity can be much more costly in the long run. Total associated costs to Community Health System in Tennessee which had 4.5 million non-medical patient data files stolen by hackers last fall are estimated to have already exceeded $250 million.
McMillan and Kesler presented an extensive timeline listing just a few of the highest-profile hospital hacking cases in recent years. They conveyed that hospitals and IT staff must have a sense of urgency about the threat from hackers right now, and every day.