Ransomware has been used to target hospitals throughout the United States for the past few years. As a direct response to the tenacity and increasing frequency of attackers, hospitals have been forced to be more diligent in their security approaches. However, a recent report by the Healthcare IT News and HIMSS Analytics Quick HIT Survey suggested that as many as 75 percent of United States hospitals might have been attacked with ransomware in the last 12 months. The increase of attacks has left hospitals wondering what preventative measures they can take to protect the records of their staff, patients, and administrators.
How Can Hospitals Protect Against Ransomware Attacks?
The Healthcare IT News and HIMSS Analytics Quick HIT Survey revealed a few surprising statistics. Of the hospitals polled, over 50 percent responded that they had been attacked with ransomware within the last 12 months. 25 percent of respondents noted that they might have been targeted by ransomware attacks, however, there was a degree of doubt. This latter statistic is particularly alarming when you consider the number of personal records that are stored by hospitals. The silver lining to the report lies in the fact that only a small percentage of hospitals had data encrypted or successfully stolen.
In order to protect against ransomware attacks, hospitals need to have the following safeguards in place:
- A Business Continuity Plan. — Hospitals need to be prepared to immediately address a ransomware attack, should one unexpectedly occur. The business continuity plan should also provide the guidelines needed to respond to current and past patient concerns and staff questions, while simultaneously ensuring that the hospital can operate at full capacity in the immediate aftermath of an attack.
- An Information Security Plan In Place. — Hospitals need to work with a trusted Information Security Provider if they want to protect their valuable data and medical records from theft or ransomware encryption. If a ransomware attack occurs, hospitals need to know how to react, including if they are going to pay the ransom. As part of this plan of action, hospitals should be able to work with their Information Security Provider to immediately determine:
- When the attack occurred;
- The scale of the data breach;
- How widespread the encryption is;
- What records are affected;
- When the last data back-up occurred; and
- If the funds are available to pay the ransom (should that be the advised course of action).
- End-User Training and Education Courses. — Generally speaking, ransomware is often delivered via phishing scams. The most popular scams use a seemingly “normal” email to deliver malicious code via a downloaded file or embedded link. Hospitals and healthcare clinics must teach their end-users to be diligent. The more prepared that an employee is, the easier it will be for them to spot a phishing scam and subsequently alert the IT department. Additionally, educated employees are more likely to perform the security and software updates that are vital to protecting important hospital data and records. Ultimately, hospitals and healthcare clinics should consider having a Managed Security Service Provider (MSSP) manage and monitor their environment.
The Bottom Line: Hospitals Must Remain Vigilant And Prepared
In the face of a growing number of ransomware attacks, hospitals must remain vigilant. Through frequent back-ups, employee education, a business continuity plan, and the right Information Security Provider, hospitals can better protect their data from theft. Discover a better way to protect your vital records when you work with Intrinium to implement an integrated approach to Information Security.