Earlier this year, the global WannaCry ransomware cyberattack shut down hospitals across Europe. The hospitals were among many groups unable to access its own data.
There’s been a lot of concern about the security of electronic medical records, which contains information like height, weight, medical diagnoses, and social security numbers.
According to the U.S. Department of Health and Human Services, one in 10 Georgians was a victim of a health care data breach over the past year.
Here’s how a typical ransomware attack might happen: a hospital employee is using her computer when a message flashes on the screen telling her all of the files are being held hostage.
“And it locks you out from those files and it tries to get you to pay ransom, usually in bitcoin,” said Atlanta attorney David Cole.
Cole specializes in cybersecurity and represents the Peachtree Neurological Clinic, which has two locations in Atlanta and recently experienced a ransomware attack.
“Peachtree Neurological Clinic this time, fortunately, had a complete backup in place of their medical records, so they didn’t have to pay the ransom, which is good news,” Cole said.
But during the event, the clinic also discovered hackers had access for more than a year and the clinic had no idea.
“Whoever accessed the system first was then able to set up a user account and so when they do that, there’s nothing to really indicate that anything wrong is going on and they can operate in the background and cover their tracks,” Cole said.
In July, Cole helped notify 183,505 patients their information was exposed. It included “patient names, addresses, telephone numbers, social security numbers, dates of birth, driver’s license numbers, treatment or procedure information, prescription information, and/or health care insurance information,” according to the notice.
“We could not confirm which files, if any, these individuals might have been able to access while they were in the system. It’s possible they didn’t access any files at all,” Cole said. “A lot of times, we’ll see hackers gain access not for the purpose of stealing files, but for the purpose of engaging in malicious activity like using [the hospital’s] server to engage in fraudulent internet transactions so that it looks like it originated from [the hospital].”
Ge Bai is a professor of accounting at John Hopkins University and recently published a study on health care data breaches. She said teaching hospitals are often more vulnerable to attacks because more people have access to the data, but it’s impossible for hospitals to completely keep private records away from hackers.
“What the hospital can do is just to mitigate and manage risk,” Bai said.
Besides holding hospitals data hostage, hackers can profit with a patient’s financial information to file false tax returns or steal a person’s identity.
Hospitals in Georgia say they are fighting back in many ways including improving cybersecurity and backing up data more often.
But ransomware attacks are still common in metro Atlanta, says attorney Roy Hadley. Hadley is co-chair of the privacy and cybersecurity practice at Thompson Hine and chair of the information security society for the Technology Association of Georgia.
“A lot of companies that are impacted won’t say anything. They’ll quietly pay the ransom,” Hadley said. “Restore from backups and quietly get it fixed and never even mention it. It’s much more widespread than what’s reported.”
That’s because only health care breaches that impact more than 500 patients are made public by the U.S. Department of Health and Human Services Office for Civil Rights.
Those patients are required by federal law to be notified about data breaches. More than a million Georgians got such a letter in the past year.
They were sent out to several health care organizations including Skin Cancer Specialists, two Emory Healthcare clinics, Augusta University Medical Center and the GI Care for Kids Endoscopy Center.
The increase in cyberattacks has created demand from hospitals for what’s called cyber insurance.
“It’s daily,” said Desiree Spain, an underwriter with the Beazley Group in Atlanta. “We have an in-house breach response team that handle these calls: 24/7/365 and they are inundated with incident reports.”
These insurance policies cover things like financial loss from an attack and possible ransom payments.
Electronic Medical Records
About a decade ago, Congress began offering extra cash to doctors who ditched paper for electronic health records, making them a richer target for hackers. Attorney David Cole said these cyberattacks are so common now, they’ve just become part of doing business.
“I don’t know if it’s quite right to say, perhaps some people have become numb to it. They are starting to understand that the business who’s had the data breach, like them, is a victim as well.”
Unfortunately for both patients and hospitals, these attacks are only on the rise and getting more expensive. Every time a hospital is hit, it spends nearly $12 million to fix the damage.