In Healthcare, Ransomware Actually Threatens Patient Safety

Imagine needing medical care and being turned away because the hospital or provider is paralyzed by a ransomware attack. Perhaps even scarier: needing emergency care and being treated “blind” by doctors who can’t access your medical records. This isn’t some far-off worst-case situation. Just last March, MedStar Health, the largest healthcare provider in the D.C. region, was forced to turn patients away and treat others “blind” for two full days after ransomware locked down its patient database.

Legislators urge HHS to focus on continuous data access

Nightmare scenarios like this are getting the attention of regulators and legislators. In June, two U.S. congressmen released a letter urging HHS to amend HIPAA rules to prioritize continuity of data access. In particular, they called for a focus on any incident that “results in either a denial of access to an electronic medical record and/or loss of functionality necessary to provide medical services.” The loss of data access is more concerning than a privacy breach, explained Congressman Ted Lieu, because “it could result in medical complications and deaths if hospitals can’t access patient information.”

It makes sense, doesn’t it? Patients (and the general public) have a right to know about incidents like this. After all, you might not choose the hospital that can’t promise continuous care.

Is healthcare too focused on data privacy?

HHS did recently issue specific guidance on ransomware and HIPAA compliance. But the guidance stays within the realm of original HIPAA rules, focusing entirely on data privacy concerns. The result, according to a new report titled “Hacking Hospitals” is that the typical healthcare organization has built its security infrastructure and strategy with tunnel vision on patient data privacy and HIPAA compliance. The report cautions that a singular focus on data privacy leaves an organization unprepared and vulnerable to a range of other cyber attacks that may pose an equal or greater risk. In the case of ransomware, the risk arguably supersedes patient privacy concerns, impeding the organization’s ability to actually deliver patient care. “These findings illustrate our greatest fear,” the report warns, “patient health remains extremely vulnerable.” The report concludes that the focus on data privacy, “while important, should come second to protecting patient health.”

Importance of data access elevates disaster planning and recovery

The shift toward focusing on continuous data access isn’t unique to healthcare. Regulators in every industry are realizing that an interruption to data access—such as ransomware attack—may have a graver impact than a traditional data breach. Businesses themselves are also seeing the threat of huge monetary losses from an interruption in service delivery. Looking back to healthcare, the ransomware attack on Hollywood Presbyterian Medical Center made headlines for the $17,000 ransom payment, but the cost of system downtime was far higher, with an estimated $1 million in lost revenue from lost CT scans alone.

This realization is putting disaster planning and recovery on the same level as detection and prevention in a modern data security strategy—and putting data backup squarely in the spotlight. The legislators pushing for HIPAA changes already acknowledge that effective backup can eliminate data access interruptions and mitigate the risk to patient health. Future regulations in healthcare and other industries will likely include specifications for comprehensive data backup—covering central servers and systems, as well as the half of all enterprise data that now lives on users’ endpoint devices.

Considering the high risk and cost, we don’t advise waiting around until regulators force the issue.