Held for Ransom. A New Pandemic is Sweeping American Healthcare

It happens every day to companies across America. Hackers exploit vulnerable computer systems and literally “take over” the company. Using dark web tools from bases abroad where they may or may not enjoy the particular government’s protection, sanction, or even employ, hackers are attacking America, every hour of every day. 

The average American is blissfully unaware of this world, even though it directly affects them, often in hugely personal ways. Your most intimate details, like medical records, may be available for sale online and there’s nothing you can do to prevent it.

When the hack, referred to as a Ransomware Attack, hits closer to home, it becomes public knowledge. Take for instance the attack in early May on American gasoline supplier Colonial Pipeline, which crippled many cities. Americans were soon queuing for gas, hoarding supplies, as gas stations across the US closed or ran out of gas. 

The hackers had taken control of the systems operating the supply of gasoline via pipelines that criss-cross America. This was personal and the American public felt the effects first hand. Ransomeware was all over the news.

What most Americans don’t realize, however, is just how common these attacks are. It’s the perfect digital crime. Take over some company’s system, shut it down remotely from a place of safety, and then demand payment from the company. Once the company pays — the ransom — their systems are unlocked and they can resume business.

Bizarrely, the hacker’s “code of ethics” for want of a better term, seems to hold true. Once payment is made, the systems are released. Payment is a simple matter, digital currencies like Bitcoin make tracking the money all but impossible. 

It could be argued that without access to digital currencies, these hackers would be unable to extort money from their victims without leaving a clear trail for authorities to pursue.

Aside from the obvious inconvenience and potential dangers to essential energy supplies and other critical systems, there is another hugely unreported consequence of these hacks. The bleeding of personally identifying data. That’s your info and mine, all of it fair game. Don’t forget, these hackers are inside the systems they compromise, they have sufficient access to lock down the system.

It would be hugely naive to imagine they simply leave it there. While companies run around trying to secure loans to pay off ransom demands, the hackers are merrily downloading every shred of data they can strip from the systems.

That’s where the real value lies. Your information or data, which is spread throughout numerous systems across the US. This data is worth real hard cash on the dark web, especially certain types of personal data, like your healthcare information. From recent reports, it would appear no systems within the US are immune.

Your Data, Healthcare, and the silent war

Most ransomware attacks never see the public light of day. They’re kept quiet and settled away from the prying eyes of the media and the public. For very good reasons. Investors don’t like companies that appear vulnerable and companies would rather not spend the next six months explaining to their customers that their data was compromised.

Healthcare is particularly vulnerable. It’s a sector favored by hackers. Easy access to poorly protected systems, rich data pickings, and a culture of “keeping it on the QT’ among medical institutions, hospitals, and healthcare systems make this sector almost irresistible. 1 in 3 companies or institutions within healthcare get hit, according to a recent whitepaper from IT Security firm Sophos. Here are the key takeaways from the paper. 

• 34% of healthcare organizations were hit by ransomware in the last year.
• 65% that were hit by ransomware in the last year said the cybercriminals succeeded in encrypting their data in the most significant attack.
• 44% of those whose data was encrypted used backups to restore data.
• 34% of those whose data was encrypted paid the ransom to get their data back in the most significant ransomware attack.
• However, on average, only 69% of the encrypted data was restored after the ransom was paid.
• 89% of healthcare organizations have a malware incident recovery plan.
• The average bill for rectifying a ransomware attack, considering downtime, people time, device cost, network cost, lost opportunity, ransom paid etc. was US$1.27 million. While this is a huge sum, it’s also the lowest among all sectors surveyed.

Scripps is an excellent example in case. Scripps began notifying more than 147,000 individuals in early June this year that their protected health information was exposed during a malware attack. They now face 4 class-action lawsuits.

For certain patients, exposed information included names, addresses, birthdates, health insurance data, medical record numbers, patient account numbers, and treatment details. Less than 2.5 percent of individuals’ Social Security numbers and/or driver’s license numbers were involved, according to the health system.

The list of attacks is growing exponentially.

• 500,000 patient files were potentially stolen in a ransomware attack on Iowa clinics.
• 334,000 Ohio Medicaid providers’ data were breached in a vendor hack

Keep in mind that only a small percentage of these attacks are ever made public and the data above should serve as a fair warning to all healthcare organizations. No one is immune and even smaller organizations are targeted.

Protecting yourself

Clearly, we cannot exist in a modern society without sharing our most private details with companies on a daily basis. There is a huge amount of trust involved, and where many Americans now simply take this relationship for granted, assuming companies will protect their information, ransomware exploits have exposed clear flaws in companies’ approaches to protecting our privacy.

We cannot affect or restrict the data we share without compromising, for instance in a healthcare setting, our quality of care and service. In these instances, the onus falls squarely on the shoulders of the service providers to protect our data and they are failing. 

Our only recourse in this instance is to lobby our congressmen and women. Changes need to be urgently brought to bear on the holders of personal data, fines imposed for lack of proper security, and audited processes put in place to ensure our data is safe.

This is going to prove challenging, particularly when not even the federal government’s systems appear immune to attack. Perhaps it is time to apply Bitcoin-style encryption to our data and fight fire with fire.