On April 4 an ordinary looking e-mail arrived in a clinical worker’s Microsoft Outlook inbox at a small Indiana hospital. In the “From” field was the name of the hospital’s new printer and fax machine paired with its official e-mail domain. The subject line was simply the word “Invoice.” That is, it all looked mundane and legit—like a routine document sent from the device.
But that e-mail, several of which made it past the hospital’s firewall, unleashed a virus that encrypted files on the worker’s computer hard drive and connected to a server. A window popped up giving instructions and links to retrieve a key to unlock the files.
King’s Daughters’ Health in the small town of Madison, Ind., was the victim of a so-called ransomware attack. A series of such attacks in recent weeks, including disabling the computer systems at MedStar Health, a much larger and more sophisticated organization based in Columbia, Md., have startled hospitals across the U.S.
Healthcare organizations, for a variety of good and bad reasons, are slow to adopt and update their information technology. And the cybercriminals know it.
“It’s a quick and easy way to monetize weaknesses in health information security,” said Dr. Eric Liederman, director of medical informatics at the Permanente Medical Group. Dealing with ransomware adds one more item to an already crowded to-do list for clinical IT leaders, Liederman said. “My job is to try to find that balance” between clinicians’ workflow needs, patient-safety requirements and security demands.
As hospital IT teams spend much of their time and money figuring out how to meaningfully deploy electronic health records and harness the data for emerging payment and delivery models, the bad guys continue to hone their technology and calibrate their attacks, creating boom times for data defenders. With at least six hospitals targeted in the past month, healthcare leaders are scrambling for protection.
These available wares include legal services, security consultancy, training, systems testing, cyber insurance, security software that runs on and defends computer systems, and remote-hosted software and services that can include fully staffed security operations centers that provide computerized and human watchdogs on the lookout for cyberthreats 24/7.
“Business is booming,” said Eldon Sprickerhoff, founder and chief security strategist at eSentire, a Canadian provider of remote-hosted security services.
At King’s Daughters’ Health, the employee who unwittingly released the malware quickly notified the IT department, which shut down all of the hospital’s computer systems, including its electronic health record system. The EHR system was unscathed, although it was open on the infected computer. Still, the attack forced the hospital to go without e-mail and use paper to document patient encounters until the system’s corrupted files could be deleted and replaced.