The Ransomware Crisis, Part II: Hospitals Under Attack

EDITOR’S NOTE: Edward Roche, in association with RACmonitor, is writing a series on the need for healthcare facilities in the U.S. to protect themselves from cybercriminals demanding ransom for patient records. This is the second piece in a series of reports on the ransomware crisis.

Hospitals are under attack, as the world is now witnessing one of the most significant ransomware waves in history. In the U.S., the Department of Homeland Security and Federal Bureau of Investigation are on alert, but they respond only after the fact.

Hospitals risk having all of their electronic medical records (EMRs) encrypted. In order to get the electronic “key” to unlock the data, a ransom must be paid.

Healthcare in the United States is a very important part of the economy. Annual spending amounts to more than $11,000 per citizen, and healthcare accounts for around one-fifth (20 percent) of the GDP. Since the size of the U.S. economy is around $18 trillion, this means that healthcare spending is around $3.6 trillion. In other words, U.S. spending on healthcare alone amounts to more than the entire GDP of every country in the world except the U.S., China, and Japan.

Even though healthcare represents a large part of the U.S. economy, spending on cyber-security is less than 10 percent of the overall security budget. The healthcare sector is under-investing in security, and so the ransomware sharks smell blood in the water.

Preparing for a Ransomware Attack

There are three principal areas hospitals need to focus on in order to prepare for a ransomware attack. These include the following:

  • Technology
  • Operations
  • Legal and Regulatory


Technology

The technology side of prevention is well-known. The ICT department is in charge of protecting computing infrastructure. This includes vetting personnel, maintaining proper access, control, and security, and also keeping the system up to date by installing “patches” regularly released by software vendors. In addition, the ICT department must maintain contract with vetted security vendors that provide important services such as firewall protection as well as backup and disaster recovery.

Operations

The operations side is more difficult to master. This entails having in place an understood set of policies and procedures that ensure proper computer security and control over access to information. 

Continuous training and awareness-raising efforts with all participants in the hospital community that come into contact with the information system is required. In practical terms, this means everyone. But operations does not involve only training. It also involves “fire drills” and “rehearsals” so that everyone knows exactly what to do if disaster strikes.

What if the entire information system goes down? How can hospitals revert to manual, paper-based record-keeping, if necessary? Capacity-building for hospitals also involves documenting all of the standard operating procedures that will guarantee the quality response that is needed.

Finally, hospitals must constantly benchmark and measure their operations to know at all times how well their important work is being carried out. Metrics are crucial.

Legal and Regulatory

All hospitals are familiar with the rigid and comprehensive rules governing privacy of name-linked data. This patient data must never be allowed to leak out, and must be permanently saved in a way that ensures its security is never threatened.

As we all know, severe penalties can strike should a hospital fail in its privacy obligations. But preparing for a ransomware attack goes well beyond the procedures necessary to keep patient data private. Instead, what we need to be concerned about is what happens after a ransomware attack already has taken place. There are a number of legal issues that many hospitals are not prepared to handle.

First, there are a number of notification requirements that must be adhered to. Every single patient whose records have been accessed must be identified and sent a letter explaining the situation. Failure to perform proper notification can result in large fines.

Second, it is crucial that the hospital knows how to preserve evidence needed to allow investigators to pinpoint the identity of the attacker. There must be a sufficient forensic cyber record on hand to make a prosecution stick.

Third, there needs to be an emergency financial procedure in place so that funds can be paid out quickly. It may be useful to have a contingency fund in place.

Fourth, the hospital must be prepared to handle any tort negligence liability from disgruntled patients or others who wish to extract their pound of flesh.

In the end, hospitals must realize that not only is it necessary to take every possible security measure to ensure that information systems are not compromised, but also to have in place documented and rehearsed procedures that are understood well by all principal persons who are ready to put them immediately into play. 

Print Friendly, PDF & Email
Facebook
Twitter
LinkedIn

Edward M. Roche, PhD, JD

Edward Roche is the director of scientific intelligence for Barraclough NY, LLC. Mr. Roche is also a member of the California Bar. Prior to his career in health law, he served as the chief research officer of the Gartner Group, a leading ICT advisory firm. He was chief scientist of the Concours Group, both leading IT consulting and research organizations. Mr. Roche is a member of the RACmonitor editorial board as an investigative reporter and is a popular panelist on Monitor Mondays.

Related Stories

Leave a Reply

Please log in to your account to comment on this article.

Featured Webcasts

Leveraging the CERT: A New Coding and Billing Risk Assessment Plan

Leveraging the CERT: A New Coding and Billing Risk Assessment Plan

Frank Cohen shows you how to leverage the Comprehensive Error Rate Testing Program (CERT) to create your own internal coding and billing risk assessment plan, including granular identification of risk areas and prioritizing audit tasks and functions resulting in decreased claim submission errors, reduced risk of audit-related damages, and a smoother, more efficient reimbursement process from Medicare.

April 9, 2024
2024 Observation Services Billing: How to Get It Right

2024 Observation Services Billing: How to Get It Right

Dr. Ronald Hirsch presents an essential “A to Z” review of Observation, including proper use for Medicare, Medicare Advantage, and commercial payers. He addresses the correct use of Observation in medical patients and surgical patients, and how to deal with the billing of unnecessary Observation services, professional fee billing, and more.

March 21, 2024
Top-10 Compliance Risk Areas for Hospitals & Physicians in 2024: Get Ahead of Federal Audit Targets

Top-10 Compliance Risk Areas for Hospitals & Physicians in 2024: Get Ahead of Federal Audit Targets

Explore the top-10 federal audit targets for 2024 in our webcast, “Top-10 Compliance Risk Areas for Hospitals & Physicians in 2024: Get Ahead of Federal Audit Targets,” featuring Certified Compliance Officer Michael G. Calahan, PA, MBA. Gain insights and best practices to proactively address risks, enhance compliance, and ensure financial well-being for your healthcare facility or practice. Join us for a comprehensive guide to successfully navigating the federal audit landscape.

February 22, 2024
Mastering Healthcare Refunds: Navigating Compliance with Confidence

Mastering Healthcare Refunds: Navigating Compliance with Confidence

Join healthcare attorney David Glaser, as he debunks refund myths, clarifies compliance essentials, and empowers healthcare professionals to safeguard facility finances. Uncover the secrets behind when to refund and why it matters. Don’t miss this crucial insight into strategic refund management.

February 29, 2024
2024 ICD-10-CM/PCS Coding Clinic Update Webcast Series

2024 ICD-10-CM/PCS Coding Clinic Update Webcast Series

HIM coding expert, Kay Piper, RHIA, CDIP, CCS, reviews the guidance and updates coders and CDIs on important information in each of the AHA’s 2024 ICD-10-CM/PCS Quarterly Coding Clinics in easy-to-access on-demand webcasts, available shortly after each official publication.

April 15, 2024

Trending News

Happy National Doctor’s Day! Learn how to get a complimentary webcast on ‘Decoding Social Admissions’ as a token of our heartfelt appreciation! Click here to learn more →

SPRING INTO SAVINGS! Get 21% OFF during our exclusive two-day sale starting 3/21/2024. Use SPRING24 at checkout to claim this offer. Click here to learn more →