Aegis Compliance & Ethics Center, LLP
According to research conducted by the NTT Group security organization, the healthcare industry endured nearly 90% of all ransomware attacks across U.S. industries last year. Institutions such as Erie County Medical Center and Hollywood Presbyterian Medical Center are the latest victims of these attacks, forcing both the organizations offline for weeks at a time. Phishing attempts, often the preferred method to infect institutional computers, recently compromised data from thousands of patients after gaining access to the New York healthcare giant – Kaleida Health. While it is no surprise that hackers consider confidential information a valuable target, institutions must fight back and focus on employee education and training as the industry’s first line of defense.
Confidential Patient Information Held Hostage
As hundreds of cases are currently under investigation within the healthcare industry by the Office for Civil Rights, this past February, hackers hit Hollywood Presbyterian in a high profile attack. The instituitions paid $17,000 in Bitcoin to their perspective hackers after succumbing to a malware attack that infected nearly all of the institution’s information systems. With the organization’s computers offline for over a week, Hollywood Presbyterian’s CEO confirmed that the hospital needed to pay the ransom as the “quickest and most efficient way to restore [their] systems”.
Additionally, this past spring, Erie County Medical Center fell prey to a file encrypting malware strike. The hackers responsible sent ransomware containing an email that demanded the institution send them $44,000 dollars worth of cryptocurrency in exchange for the hospital data. Refusing to meet these demands, the hospital stayed completely off-line. With the help of IT consulting firms, the medical center eventually restored their information systems six weeks after they received the list of demands.
Phishing attempts (a way to access and contaminate computers with malware) has recently affected one of the largest healthcare providers in New York – Kaleida Health. By gaining access from a single employee account, the hacker accessed clinical data involving over 2,000 patients. Later in the month, another phishing attempt in Kaledia exposed an additional 700 patients.
The Compliance Aimed Defense
These countless malware attacks serve as a cautionary tale for any healthcare institution, large or small. Not only do hackers gain access to confidential patient information with the hopes of receiving ransom money or selling the data on the web, an institution’s productivity and resources are often caught in the cross-fire.
HIPAA requires institutions to educate and train employees to spot cyber-attack attempts, and this proves a worthy defense against malware efforts. Training and education can consist of informing employees of tell-tale signs that their computer may be comprised (such as noticing a random increase in activity on one’s computer central processing unit), and simple reminders informing employees to check their surroundings.
With close to 90% of healthcare organizations experiencing data breaches involving confidential patient information, healthcare organizations must recognize this as a threat and place an importance on implementing the proper education and training programs to comply with the highest of industry standards. Next time you receive an urgent email from a strange address, think before you click.