Ransomware operators don’t discriminate between targets, hitting everything from industrial control systems and government agencies to small businesses and regular people sitting at home watching YouTube. Depending on the target, the damage can range from mere nuisance to catastrophe.
For education institutions, ransomware can lead to reams of missing data: schedules, college acceptance information, accounts payable, bank data and grades. For government infrastructure, it can take down email and phone systems. For healthcare institutions, however, it can make the difference between life and death.
A new wave of ransomware attacks reported in the past week across different geographies and industries includes several incidents in the healthcare sector.
A hospital in Northern France is still struggling to disinfect 6,000 computers after a ransomware contagion hit them more than a week ago, and is operating with heavily degraded performance, according to a report by Le Monde. The IT department has made some progress recovering lost data, but they expect another week of downtime. Interestingly, the attackers left no ransom note. Even if the hospital wanted to pay to disinfect its systems, there’s no payment address.
In Wisconsin in the US, 110 nursing homes were cut off from health records in a ransomware attack last week. The attackers demanded a whopping $14 million in Bitcoin. As reported by cybersecurity expert Brian Krebs, “The ongoing attack is preventing these care centers from accessing crucial patient medical records, and the IT company’s owner says she fears this incident could soon lead not only to the closure of her business, but also to the untimely demise of some patients.”
Minutes, even seconds, of delay can seriously affect the patient death rate. According to one recent study by Health Services Research, hospitals that have suffered ransomware attacks have recorded a rise in fatal heart attacks compared to units that haven’t been under fire by hackers. Specifically, medical institutions hit by ransomware showed an increase of 36 deaths per 10,000 heart attacks per year. Furthermore, patients received an electrocardiogram 2.7 minutes later than the average, putting lives at risk in emergencies.
Healthcare institutions have been under heavy fire from ransomware operators in the past few years. Attackers can not only encrypt vital medical data and demand ransom to unlock them, they can also steal those patient records to use in identity theft and fraud. In fact, patient data is one of the most expensive forms of stolen ID record on the dark web.
Hospitals also house a lot of Internet-connected equipment that cannot be secured with traditional endpoint solutions, while staff typically lacks proper training against cyber threats – as is the case across most other industries.
"Breach remediation efforts were associated with deterioration in timeliness of care and patient outcomes," authors Sung J. Choi PhD, M. Eric Johnson PhD, and Christoph U. Lehmann MD, said. "Thus, breached hospitals and HHS oversight should carefully evaluate remedial security initiatives to achieve better data security without negatively affecting patient outcomes."
Following their Hippocratic Oath, healthcare institutions should invest properly in cybersecurity to protect those entrusting them with their lives.