In: Nursing
Why are areas of a healthcare system particularly vulnerable to ransomware and should be especially protected? What might patients do to ensure their information is safeguarded?
A health system, also sometimes referred to as health care system or as healthcare system, is the organization of people, institutions, and resources that deliver health care services to meet the health needs of target populations.
1. The term ransomware refers to a type of malware used by attackers that first encrypts files and then attempts to extort money in return for the key to unlocking the data by demanding a ransom. These ransoms are most often requested in the form of bitcoins, a type of cryptocurrency. Because of the ability of bitcoin to make transactions accessible while protecting the anonymity of those involved, it has become the preferred currency for criminal activity, including that of ransomware hackers.
Ransomware is typically spread through fake emails that have been designed by the hacker to appear legitimate. These emails may contain a link to an infected website or include an attachment such as a Word document that contains macros. Once a link is clicked or a document is opened, the malware is downloaded and infects the machine quickly: estimates vary from secondsto 20 minutes. During this time, the malware searches the hard drive, network files, external drives, and cloud drives for all data that can be encrypted. After encryption, an electronic “key” is required to unlock the files; this key is saved by the hacker and is not released until the victim pays a requested amount or ransom.
Before 2016, healthcare organizations were not thought to be a primary target for ransomware.However, hospitals had become the target of ransomware and a total of 173 hacking/information technology (IT) incident data breaches had been officially reported by October 16, 2016, Hospitals have become an easy target for hackers for two reasons:
(1) The necessity of computer storage of information associated with patient care (e.g., electronic medical records) and
(2) The security holes in IT systems.
In fact, a report from Ponemon Institute in 2016 stated that 89 percent of healthcare organizations suffered at least one data breach involving the loss of patient data over a two-year period, and 45 percent had more than five such breaches. Also, the frequency of successful hacking of patient medical files increased from 55 percent in 2015 to 64 percent in 2016. When hit with ransomware, some hospitals have been desperate to pay the ransom because of their need for the most up-to-date information, such as drug interactions, care directives, and medical history, in order to provide critical care to patients. Accordingly, the healthcare industry is now considered to be at a substantial risk of a ransomware attack,mainly because it trails other leading industries in securing vital data.
Hackers have found it easy to attack hospitals with ransomware because of hospitals’ rapid adoption of IT without a concomitant increase in the number and sophistication of IT support staff. This IT adoption occurred after the government allocated funds for the Meaningful Use program, which encouraged the use of electronic health records (EHRs). With the Meaningful Use incentives, EHR utilization increased from 9.4 percent in 2008 to 96.9 percent in 2014.
When ransomware accesses patient data, cyberattacks on healthcare facilities become a much more significant problem.If a server or computer is not encrypted at rest and information is encrypted only during incoming and outgoing transactions, a ransomware virus could exploit this vulnerability and copy the information on the server. If this were to happen, the provider would be open to all the previously mentioned costs in addition to the cost associated with HIPAA data breach violations. In recent years, the number of cyberattacks on personal health information stored on the computer systems of healthcare facilities has been increasing rapidly; for an exhaustive review of recent ransomware attacks involving the unauthorized theft of patient health information.
Although the extent of illegally obtained patient health information collected varies by institution and by attacker, most facilities noted the loss of patient names, addresses, telephone numbers, email addresses, dates of birth, IP addresses, marital status, race, provider information, patient Social Security numbers, health insurance numbers, and mental or health condition or treatment information. In 2016, 34.5 percent of all identity thefts occurred as a result of breaches through the healthcare sector, second only to the business sector, which accounted for 45.2 percent of identified violations. However, the number of identity theft breaches associated with the healthcare sector has grown more quickly than in any other industry for every year.
The number of ransomware attacks and variants has increased substantially in recent years. Healthcare facilities have become a significant target for these attacks, and in response to this increase, it is crucial that they develop a proper disaster recovery plan and adequately educate their users on information security. With proper planning in place, a healthcare facility is not only more likely to survive an attack but also more likely to decrease costs associated with an attack and to mitigate the risk to its reputation.
10
steps that healthcare organizations can take to safeguard ePHI and
ensure HIPAA and HITECH compliance as cloud computing evolves more
fully into an industry mainstay.
1. Secure
transmissions. One of the greatest points of security risk
occurs when data is "in flight" from one provider to another via
public or private cloud. Healthcare facilities should use a minimum
of 128-bit encryption. Preferably, they should achieve advanced
levels of AES 256-compliant encryption to safeguard sensitive data
and the channel during transmission.
2. Perform annual risk assessments. Other highly
regulated industries, like financial services, are required to
conduct regular audits to ensure ongoing compliance. However, many
healthcare organizations overlook this important step. With the
growing adoption of cloud computing, organizations should consider
hiring a third-party consultant to conduct thorough risk audits on
an annual basis. These consultants can also implement ongoing
monitoring tools to raise red flags instantly if potential security
issues arise.
3. Enhance breach notification processes. Today,
most breaches come to light when someone in the organization
stumbles on one or more, or the media reports it as part of their
headline-grabbing news stories. Only a small minority of facilities
have sufficient breach-notification processes and alerting tools in
place. That needs to change. Generally available monitoring
software can instantly notify the appropriate security authorities
immediately if or when a breach occurs.
4. Segregate data. In the event that systems are
hacked or another security failure occurs, organizations must have
additional layers of protection in place. Using control compliance
tools, enterprises can isolate confidential data and store it in a
scrambled or "garbage" format. That way, if hackers or other
unauthorized persons get into the system, the data cannot be read
in the original (or meaningful) format.
5. Implement user and session reporting. It's
critically important to capture detailed data about users' logins
and logouts, including time, number of successful and failed logins
and the files accessed. HIPAA-compliant event or "sys log" tools
can proactively monitor and analyze employee logins to EHRs and
other systems to flag potentially unauthorized activities.
6. Beef up physical security. Besides virtual
security, organizations must put controls in place to prevent
physical breaches. Using SAS 70 Type II-compliant data centers can
mitigate risk and ensure ePHI security. SAS 70 Type II compliance
offers an extra level of security for video surveillance, access
badges, biometrics and multiple layers of security authentication
before access to ePHI is granted. Additionally, the multiple layers
of authentication and access control provide the ability to audit,
and audit logs should be reviewed routinely to identify
unauthorized attempts and ensure that the appropriate security
measures are in place. Last, these data centers are constructed to
withstand natural disasters such as fires, hurricanes and
earthquakes.
7. Establish clear access control policies. Health
facilities should document and keep an up-to-date log of authorized
insiders, including employees, providers and others who have access
to ePHI. That way, security officials can quickly investigate if
they suspect an insider was involved in a data breach.
8. Restrict areas where ePHI is stored. To provide
extra layers of security, facilities should lock down servers and
restrict areas where patient data is stored.
9. Adopt backup, disaster recovery and operational crisis
plans. Encrypt all data stored in onsite locations as well
as those backed up offsite. Take steps to ensure clear procedures
and trained personnel are in place if a crisis or disaster
occurs.
10. Protect data stored on a network. Many
breaches occur when a single laptop is lost or stolen.
Organizations can install security mechanisms to encrypt laptops
and other devices should they fall into the wrong
hands.
2. The bioethics principle of respect for persons also places
importance on individual autonomy, which allows individuals to make
decisions for themselves, free from coercion, about matters that
are important to their own well-being.
There are a variety of reasons for placing a high value on protecting the privacy, confidentiality, and security of health information.
The more common view is that privacy is valuable because it facilitates or promotes other fundamental values, including ideals of personhood such as :