Can a ransomware attack result in a patient’s death?
Both government agencies and technology companies, such as Microsoft, are warning healthcare providers about increased attacks.
According to an April 1, 2020 posting on its website, Microsoft cautioned about cybercriminals exploiting vulnerabilities and executing a threat.
True to form, human-operated ransomware campaigns are always on prowl for any path of least resistance to gain initial access to target organizations. During this time of crisis, as organizations have moved to a remote workforce, ransomware operators have found a practical target: network devices like gateway and virtual private network (VPN) appliances. Unfortunately, one sector that’s particularly exposed to these attacks is healthcare.
In mid-March, the U.S. Department of Health and Human Services confirmed that its computer system suffered a cyber-attack on its computer system. Fortunately, after conducting a post-incident risk assessment, it was determined that no data had been exfiltrated.
In the healthcare sector, there are two primary categories of workers: (1) those that are directly involved in “hands-on” patient care; and (2) those that perform other functions outside of direct, “hands-on” patient care. The first category should be self-explanatory-physicians, nurses, physician assistants, technicians (e.g., radiology technicians, phlebotomists, patient transport), etc. The second category encompasses everyone from hospital or practice administrators, to billers-coders, IT companies, and health insurance company work force members just to name a few. The second group primarily has the ability to telecommute, with some members of the first group being able to diagnose and treat certain patients via telehealth.
Unfortunately, despite having the Security Rule’s requirement to have adequate technical, administrative, and physical safeguards in place, including a comprehensive Disaster Recovery and Business Continuity Policies and Procedures and adequate privacy and security training with a focus on social engineering, many businesses (small, medium and large) were not prepared to transition workforce members to telecommuting or telehealth with similar safeguards. Hence, leaving open vulnerabilities that cyber-attackers could exploit. As the U.S. Department of Homeland Security cautioned:
Functioning critical infrastructure is imperative during the response to the COVID-19 emergency for both public health and safety as well as community well-being. Certain critical infrastructure industries have a special responsibility in these times to continue operations.
Read More: Take back control of uncompensated time
One item that cannot be overlooked (and it’s something my clients and I train employees on) is can a ransomware attack result in a patient’s death? The answer is yes because if medical records cannot be accessed, it may be difficult to ascertain the status of a patient, when doses were administered and what allergies are present. That is why “old school” methods such as writing critical information using the minimum necessary standard on white boards in patient rooms is imperative, as well as having paper, faxes and scanners available.
Overall, the number one item to focus on during training regarding ransomware attacks is social engineering, which takes many forms, including phishing emails, as well as phishing text messages and social media messages. As Microsoft and government agencies warned, the healthcare sector is particularly vulnerable to attack. If adequate safeguards were not in place beforehand, organizations should know what basic measures to take both at home, in offices and at healthcare facilities, to mitigate the risk of a successful attack.
Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.