2016 cybersecurity concerns: ransomware
The last thing that probably comes to mind when thinking of the word “hostage” is your personal health record. Yet, in 2016, the healthcare industry has been criminally cyberattacked more than ever before, with ransomware attacks emerging as a top threat. And experts are predicting the worst is yet to come.
A form of cyberattack, ransomware is malicious software that encrypts data—or an entire computer system—until a sum of money is paid. In the healthcare environment, this means patient data and treatment information is unavailable to the organization, often significantly disrupting operations and care delivery.
Criminal cybersecurity attacks have been impacting industries across the board for decades. While stolen credit and social security information is regularly sold on the black market, its value doesn’t come remotely close to the tremendously high amount placed on personal health information and records. For example, social security numbers run at about a penny a piece on the black market, compared to the cost of a stolen health record which can run up to $363, and one Medicare number sells, on average, for close to $500.
Beyond the valuable nature of health information and the associated financial and reputational risk to healthcare organizations, the bottom line is simple: ransomware attacks can put patients at risk. From March to April 2016, ransomware attacks left 14 major hospitals “unable to access patient data, and in some cases, having to turn patients away.” Further, if a health record is purchased on the black market, and in turn illegally used, the patient’s health information could be mixed with the individual who illegally purchased it.
The FBI has warned ransomware incidents and the associated damage they cause will continue to grow in 2016 if healthcare organizations do not prepare in advance.
What can healthcare organizations be doing now to mitigate risk? It’s all about training and testing your employees. Continued education is critical to mitigate risk of cybersecurity threats. Organizations should frequently analyze attacks impacting other healthcare organizations and perform random, unannounced phishing exercises to test staff members continuously throughout the year.
To drive a successful training and education program, healthcare organizations should not only have the correct training experts and programs in place, but also a strong internal communications strategy to build this foundation. By developing a robust program and plan of action, healthcare organizations can mitigate risk and be prepared for a potentially harmful attack.