hospitals and ransomwareRansomware, a vicious form of malware which locks up files, programs or even entire computer systems and prevents users from accessing them until a ransom is paid, has been a growing problem for all manner of consumers and businesses in recent years. One type of business that has been hit hard by ransomware attacks recently is hospitals. It’s no secret that the healthcare industry as a whole is vulnerable to all manner of security intrusions, as large-scale data breaches of health care companies like Anthem and Excellus BlueCross BlueShield have shown. However, you might be wondering what exactly it is that makes hospitals such easy targets for ransomware attacks — and what is being done to help improve security and lessen the chances of entire hospitals being taken virtual hostage by hackers.

Hospitals across the U.S. and internationally have been hit hard

According to a study released by the Institute for Critical Infrastructure Technology (ICIT), a cybersecurity think tank, 2016 is the year that ransomware will hold America hostage. Specifically, the study cited ransomware attacks on hospitals and health departments in the U.S. as well as Germany in recent months. The first noted attack on a U.S. hospital by ransomware occurred around Feb. 5, 2016, when the Hollywood Presbyterian Hospital Medical Center’s computer system was infected by what is known as the Locky ransomware. It demanded the hospital pay 40 Bitcoins, which amounts to $17,000, in order to regain access to its computer system — and hospital administrators had no choice but to pay up.

All the way across the country on March 25, 2016, MedStar Health, one of the Washington D.C. area’s largest healthcare providers, was crippled when ransomware hit its computer systems, demanding 45 Bitcoins ($19,000) within a 10-day time frame in order to get file access back. All in all, 10 hospitals and more than 250 outpatient health centers were forced to shut down and turn away patients or provide care without access to medical records as a result of the attack. The hospital ultimately did not pay the ransom, instead opting to take its system offline and restore from backups, as stated in a press release.

Many other similar attacks have occurred in recent months. In some cases, the hospitals paid the ransom, in others they worked with security experts and law enforcement to find a way around it like MedStar Health did.

These attacks present far more danger than loss of money

Because hospitals and other health care providers have been focusing on going completely digital in recent years, losing access to online systems can be detrimental to a facility’s ability to operate — as well as potentially dangerous to people’s health and lives. Without full access to medical records, critical data such as allergies, health history and more might be overlooked. At the very least, serious backups will occur while staff members turn to paper records and faxes or hand delivery, but at the very worst, people could lose their lives. Although there are certainly many benefits toward entirely digital healthcare systems and facilities, all of that data must be protected with the utmost security to keep it safe.

What makes hospitals such great targets for ransomware?

Ransomware itself is nothing new. It’s been around in varying forms for more than two decades, with the first showing up all the way back in 1989. However, for a long time ransomware was ineffective and tended to target mostly single-user computers, rather than entire businesses or networks. Typically, the amount demanded for ransom doesn’t amount to a whole lot, but as hackers have figured out how to target larger, insecure infrastructure like hospital IT networks, they’ve been able to demand far larger sums and get away with it. Health care as a whole suffers from outdated security, and historically most hospitals only spend a fraction of their budget on IT. This means a scary majority of hospitals are vulnerable to attacks — something hackers have proven by shutting down whole hospitals with ransomware attacks.

Furthermore, due to the life-and-death nature of a hospital’s purpose and how it functions, there’s a strong possibility the hackers will see their ransoms paid if they’re successful at shutting a system down. That’s what happened in the case of Hollywood Presbyterian. Many hospitals have been able to manage without paying the ransom, but the cost is still high as restoring from backups is slow and accompanied by the risk of losing some data — as well as leaving staff operating blind without many of the safety checks that help prevent mistakes from being made.

There have been some arguments that hospitals that have been attacked, such as MedStar, were aware of security vulnerabilities well before it came, and given the lack of spending when it comes to IT in the healthcare industry, this is certainly possible. It’s a familiar lesson already learned by retailers such as Target, which famously came under fire for ignoring the signs that an attack was looming in the months leading up to the massive 2013 credit card breach. The cost to upgrade systems and increase cybersecurity will be high, but it’s mandatory if hospitals want to keep themselves running and protect their patients.

What can the average citizen take away from all of this?

While there isn’t a whole lot you can do in the face of a ransomware attack on a hospital or health care facility you use, you can be proactive in pushing for upgrades by asking questions about cybersecurity protocols it follows. Hospitals should be able to provide you with a copy of their privacy policies, which will tell you what they do with your data and how it’s stored (as well as when and how it’s disposed). It might also be good to ensure that you’ve got any pertinent medical information, such as medications you are allergic to or details about your medical history that could be relevant in an emergency, on hand so if there ever was an issue with a hospital’s system while you were a patient, you could make sure the staff around you knew what they needed to know. In general, ransomware is used purely to extract money from the person or entity it targets — not to steal data — but if you’re concerned, again, understanding your hospital’s privacy policy is essential. You can also follow the steps outlined in this blog post to protect yourself against medical identity theft.

Want to learn more about personal security online and off? Follow our identity theft protection blog for tips and information to protect yourself and your loved ones.