Government Should Fund Defenses Against Ransomware

Brad Bennion

When Barack Obama ran for president in 2008, he pledged to modernize the health care system, with significant investments to digitize patient records. Following the Great Recession, the Obama administration used the American Recovery and Reinvestment Act to administer roughly $35 billion in funding to various hospitals. Although the program’s premise was to update documentation, few legislators anticipated medical centers becoming ransom targets. Similar to our nation’s failing infrastructure, cyber security in the United States is severely outdated. Among recent accusations of Russian interference, this trend should be rather apparent. While HIPAA regulations require hospitals to securely store patient information, weak electronic systems are being manipulated for financial gain. Now, nearly six years after president Obama first dispersed funding for modernization, hospitals are facing weekly ransom threats.

Unsurprisingly, federal legislators have few solutions.

Unlike traditional threats, which involve holding patients hostage, ransomware attacks are impossible to predict. For patients that rely on trained health care providers to administer correct medications, a single incorrect injection can result in a fatal reaction. As Politico reported, “…the entire hospital is plunged into a crisis. It is impossible for staff to look up patient conditions…[The] lives of patients are threatened.” Once ransomware infiltrates the hospital’s network, patient records are encrypted, and computer screens turn black. Instead of presenting health care information, a single message is written on the monitor.

  Either pay the ransom, or the encryption key will be destroyed and patient records will be lost.

Increasingly, the hackers that perform these operations are developing sophisticated techniques. Instead of infecting the hospital’s computer network with a flash drive, inconspicuous emails are sent to employees. Typically, these emails will be crafted by cyber criminals to appear legitimate. Once the unsuspecting employee clicks on the message’s link, a malicious website will ask for login information. While many are intelligent enough to avoid this situation, a hospital’s network integrity is only as strong as the weakest link.

Last March, when Georgetown’s MedStar 10-hospital system became infected, it paralyzed four facilities and left the remaining six others in a state of internal panic. This presented a unique challenge for MedStar’s public relations division, which feared the public associating the program with inadequate security. Therefore, while hospital computers displayed ransom requests, officials were reluctant to comment on the situation. Although Georgetown’s medical system eventually regained control of the situation, other hospitals haven’t been as fortunate.

Since the Obama administration incentivized medical centers to digitize records, the number of attacks has risen sharply. As the Washington Post reported, “In a nine-month period in 2014, the FBI investigated 1,838 complaints of such attacks, which cost…more than $23.7 million. In 2015…[attacks] cost targets $24.1 million.” With the lives of patients at risk, hospitals are effectively forced to cooperate. This incentivizes hackers to repeat their actions, creating a vicious cycle nationwide.

Of course, ransomware doesn’t exclusively affect the United States; indeed, hospitals worldwide are being targeted. Barts Health Trust—one of England’s largest hospital networks—faced a dilemma similar to Georgetown earlier this year. In an official statement, hospital officials cited phishing as the source of the hack which displaced “2,800 patients during the 48 hours that systems were crippled.” Fortunately, the medical center wasn’t forced to pay a ransom.

Unlike financial institutions, which routinely face millions of cyberattacks, hospitals are generally inexperienced at guarding against these emergencies. Yet, when one looks closely at national health care spending, cyber security spending is less than 10% of all allocations. Instead, much of the health care budget is directed towards expanding medical coverage for Americans, increasing the number of patients in a fragile system. Therefore, while hospitals were given the support required to modernize their networks, legislators didn’t provide proper security to handle additional information.

So what can hospitals do to prevent these attacks?

Well, there are a few options that hospitals have to improve their defenses against ransomware. Primarily, funding should be allocated to supply hospitals with experienced cyber security experts. Additionally, programs to educate employees on proper security practices should be paired with frequent internal audits. Vulnerable network email systems should be cut-off from the outside world, replaced with web-based programs that cannot be accessed outside of the local network. Lastly, paper records should be maintained as a backup, thereby defeating the purpose of modernization.

Despite these actions, as the last presidential election demonstrated, no online system is entirely immune to cyber attacks. However, simply incentivizing hospitals to use electronic records without providing additional security funding is a catastrophic oversight. If legislators are serious about modernizing hospital systems, they should first begin by establishing proper cyber security.