Ransomware onslaught shines spotlight on patient data privacy shortcomings


In recent weeks, multiple industries have experienced the devastating consequences of ransomware attacks. A May ransomware attack on Colonial Pipeline — one of the largest pipeline operators in the U.S. — triggered widespread shortages of gas and jet fuel. In June, the world’s largest meat processor shut down nine American plants after being hit.

These organizations and others that provide essential public services or infrastructure are increasingly prevalent targets for ransomware attacks, in which system access is blocked, held hostage, and restored in exchange for a ransom. The reason bad actors target businesses at the heart of American life is simple: entities are more tempted to pay huge sums of money when the stakes are high.

“Pharmaceuticals, hospitals, healthcare, public companies, organizations that don’t have the talent and skills to defend themselves — they’re getting sucker punched,” said Kevin Mandia, CEO of cybersecurity firm FireEye, at a Wall Street Journal cybersecurity conference.

Healthcare’s weak spot
In healthcare, where immediate, uninterrupted availability of patient data is critical to the delivery of quality care, ransomware attacks put organizations between a rock and a hard place: they can either reward and encourage criminals by paying the ransom, or allow care quality to hang in the balance as limited internal staff works to regain system access. Hospitals and health systems that choose the latter — resisting the ransom — could be locked out of their EHRs for weeks. Because EHRs play a central function in determining a patient’s course of treatment, coordinating care, and ensuring adherence to treatment regimens, blocked access can be devastating from a quality standpoint.

However, the damage of health data hostage situations can extend far beyond point-of-care issues. Patient records contain immutable, highly sensitive information that can be used to commit identity theft and other kinds of fraud long after it’s first breached. Thus, it’s not hard to grasp why compared to other industries, organizations in healthcare are among the most likely to consider paying a ransom to restore data access in the event of an attack, according to a WSJ Pro Research Cybersecurity survey.

While the prospect of a quick resolution makes hospitals and health systems more inclined to pay a ransom, the tremendous sensitivity of patient data means these organizations are also often asked to pay exorbitant amounts to retrieve it. In 2020, ransomware attackers demanded that healthcare organizations pay amounts ranging from $300,000 to $1.14 million, according to HIPAA Journal, with the average demand being $169,446. In the course of the year, amid the pandemic, healthcare organizations shelled out $2,112,744 to ransomware gangs — and that’s just the amount publicly disclosed. The true figure is likely significantly higher.

As an industry long struggling to rein in costs, healthcare simply cannot afford to hemorrhage millions of dollars a year. This is especially true as organizations continue contending with Covid-19-related strain. Unfortunately, hackers are only getting bolder and more creative in their tactics to exploit lucrative patient data. As long as there’s money to be made, ransomware gangs will continue to go after healthcare and other critical infrastructures in inventive ways.

Spotlight on privacy threats

The rise of ransomware is bringing patient data privacy concerns to the forefront, but it is far from the only privacy threat to healthcare. According to our retrospective data, while 62% of breaches in 2020 were related to hacking, healthcare insiders themselves accounted for 1 in every 5 breaches. This mix reveals that many individuals and entities want to get their hands on patient data for a variety of reasons, ranging from the innocent (accidentally clicking into the wrong record, for instance) to the nefarious (stealing records to sell on the black market).

Still, healthcare institutions — which are notoriously slow to adopt new technology due to industry complexities — have been woefully unprepared to address these myriad threats to  patient privacy. Despite employing hundreds or even thousands of caregivers who interact with the EHR every day, many health systems still attempt to detect potential data misuse by sporadically and manually auditing what amounts to just a small fraction of accesses. While also having to fend off breaches by external actors, compliance teams that rely on manual audits are bound to fall behind.

As the guardians of highly personal and coveted data, hospitals and health systems should see the recent onslaught of ransomware attacks across industries as an impetus to better protect their own institutions. By replacing manual processes with automated, artificial intelligence-powered analytics, healthcare organizations can position themselves to maintain both patient trust and financial stability.