Many articles have been written on vulnerabilities in medical devices that speculate on the potential impact to patient safety. In a recent string of attacks on healthcare facilities (see Heritage Valley Health Systems, Peachtree Neurological Clinic and Urology Austin), ransomware has become an increasing threat to healthcare providers, but little has been said about how it could impact patient safety. Ransomware infects a PC and restricts access to the infected PC, typically by encrypting most files. When the ability to use PCs is significantly hindered—largely making them inoperable—caregivers in hospitals may be forced back to paper-based workflows. In today’s day and age, this causes a significant disruption to normal operations.
Ransomware has become an easier source of revenue for cybercriminals. With a successful attack against an organization, the organization finds itself in a crippled position from an information availability perspective. The data it needs to function is no longer available and the organization is left with a risk management decision: does it bow to the demands of the criminal, or try to recover itself, not knowing if it can or how long it will take? Although most would agree that bowing to the demands of a criminal is morally and ethically a bad decision, C-level leaders have to make the decision that’s in the best interest of organization. Many hospitals choose to pay the fee for a potentially quicker recovery, and assume the risk that the criminal will provide the encryption key and won’t try the same threat again. Given the potentially significant impact to hospital operations, many healthcare executives might make the same call.
Potential impact of ransomware
When threat impacts are discussed in the healthcare industry, the conversation is usually quick to steer to medical devices, a top concern today. What’s the potential impact to hospitals from ransomware attacks? Information is time-critical at hospitals, especially in the emergency rooms and operating rooms. If PCs stop functioning and there are delays in information access and information flow, it could cause substantial disruption, and could even cause patient safety concerns.
What impact could a return to paper charts have on human life and safety? Many in the field might say “that’s no big deal—our caregivers know how to fall back to paper processes.” However, organizations need to ask themselves whether that’s still realistic in 2018. Newly qualified physicians and nurses train on electronic medical record systems. Unless organizations are training staff how to operate when the system is down, they’re not going to know how to perform via paper.
Let’s consider caregivers trying to treat patients, and consider the difficulties they would encounter if their PCs weren’t functional, rendering no access to the electronic medical record system.
- Patient medical history inaccessible—Caregivers must learn that from the patient or family members, and if the patient is unconscious, family is not present or they don’t speak the same language, that can cause significant delays in treatment.
- Patient medication history unavailable—To treat a patient effectively, a physician needs to know what medications the patient takes on a regular basis and what medications have been administered to this patient in the last 24 to 48 hours. If prescribed the wrong medication or incorrect dosage, there could be serious risk of harm to the patient.
- Lab orders delayed—Now orders need to be delivered on paper or over the phone. If 50 people are trying to place orders concurrently, how long will it take to place the order?
- Lab results stalled—Lab orders are typically transmitted electronically. If that communication link is broken, how long it will take to get the lab result to the caregiver?
- Prescriptions postponed because they cannot be ordered electronically
- Medical devices inoperable—Some medical devices rely on PCs to manage the device. If that PC becomes inoperable, critical MRI or interpretation of radiologic data may not happen.
- Monitoring PCs impacted—Medical devices that feed data to a central nursing station may no longer be able to because the monitoring station isn’t functional.
The hospital may not have adequate staff to physically visit all rooms to monitor the patients.
- Potential public relations controversy—Imagine a family coming to the hospital to visit a family member after a major surgery and the hospital can’t tell the family what room the patient is in because the staff at the desk can no longer access the application that tracks location of patients. What if that patient passes before the family can see them?
What can organizations to do protect themselves from ransomware?
- Put strong technologies in place to prevent and detect threats. Email security, web security and endpoint security technologies need to be able to identify these threats so that the threat has no ability to penetrate the organization. Because no technology is perfect and the threats can be so tricky for users to identify, you need to focus on.
- Educate the workforce. Ransomware is typically spread via infected email attachments or links. Staff need to understand threats of this type and resist the need to click that link, or launch that file to see what it is. Repetition of security education is key.
- Make sure IT, security and other staff or partners are trained in prevention, detection and incident response. Without trained staff, an organization’s ability to detect and respond threats is severely limited and could cause significant downtime and expense.
The bottom line is to have contingency plans. In the age of ransomware, every organization needs to ponder the cost of investing in cybersecurity and education versus the cost of using pens and paper.
By Doug Copley, Forcepoint Senior Security, Privacy & Risk Strategist