A few days ago, the sadly-predictable news broke that a U.S. hospital had been hit with a ransomware attack. Initial reports were that hackers demanded that Hollywood (CA) Presbyterian Medical Center pay $3.4M in bitcoins to regain access to its data. The hospital refused, and began working with paper to meet its patients’ needs. However, it was later reported that the $3.4 million number was wrong and the hospital was only asked to pay $17,000. The hospital chose to pay the ransom and got data access back. But the mere fact that Hollywood Presbyterian got off relatively easily shouldn’t blind us to the growing ransomware threat, nor the steps we need to take to address this crisis.
Now, before I ramble on about what I think should be done, please bear in mind that I’m an HIT analyst and writer, not a network engineer. So the modest proposal is coming from a non-technical person, but I do believe that it has some merit as an idea. Hopefully readers will continue to improve, debate, and educate us on the merits and challenges of the idea in the comments.
Here’s my proposal. Whereas:
* Hospitals can’t afford to have their data randomly locked any more than airlines can afford to have their engines do so, AND
* Nobody wants to voluntarily create a ransomware market that grows steadily stronger as hospitals pay up, SO
I suggest we find a new way for hospitals to cover each others’ back. The idea would be to make it more or less impossible for hackers to capture all of another hospital’s data.
Here’s where I get hazy, so follow me — and criticize me, please — but what if every hospital had a few sister hospitals which held part of the day’s data backup? I can see attackers shimmying through every currently available connection at a single institution, but would all five be vulnerable if they only connected in the event a data lockout at hospital A?
Even if such a peer to peer architecture would work, I’m not sure it would be practical. After all, it’s one thing to download an illegal software copy via P2P and quite another to help restore a terabyte or more of data.
Also, it certainly hasn’t escaped me that there are serious competitive concerns involved in setting up such arrangements, though those could certainly be mitigated by the fact that no sister hospital would have a complete data set for Hospital A.
Even if this idea is utter garbage, however, I believe we’ve reached a point where if we’re going to fight ransomeware, some form of deep industry cooperation is necessary. Let’s not wait for patients to be harmed or die due to data lock-out.
Interesting idea Anne. Although, you really point out the key here is having a backup somewhere that’s separate from your health IT software and is unlikely to be compromised at the same time as your main system. That could be at another hospital, but it also could be in an off site backup. No doubt a proper backup plan could thwart a ransomware attack. We probably won’t get hospitals to work together, but healthcare organizations could implement a well done backup strategy that would thwart many issues.
Ransomware is really evil. I heard of this attack, but it also effects many practices, some that were ours. It did not effect the actual Data Center yet, but ALL EHR VENDORS AND COMPANIES ARE AT RISK.
17000 bit coins (>$7,000,000 todays rate) is a lot of profit on one transaction. It sounds innocent enough, but current bitcoin trading is at a all time high.
The Hackers are professionals, the two creators of Cryptolock made over 100Million Dollars in a year each. These are now companies who do nothing but buy the latest technology, before your IT even updates them and finds the vulnerability. If you make updates regularly, you are screwed, they find a vulnerability in the patch. If you don’t update regularly, then you are screwed, they find out you have not updated and a existing vulnerability is left open.
If you spend the megabucks to monitor your firewall and do everything right, including backup, off-site storage, etc…. you can minimize the damage and/or minimize risks. But you must prepare for downtime as you restore backups, backups that may in themselves be effected, so you will have to go to an older backup, which = LOSS OF DATA. Fortunately, they have not to my knowledge put in time bombs, and old and deadly problem.
Bottom line, this is evil and very profitable, so consumer is at a disadvantage no matter how much they spend, unless they can stay ahead, and that is nearly impossible. Makes me and everyone scared.
There’s a much simpler more direct solution to the problem. Give every patient a copy of all their records from all their providers so their records are always available anytime, anywhere—even if a provider network is shut down for any reason, whether a simple power outage, computer system shutdown or natural disaster.
This approach is not only defensive (protecting against Inavailability of records) but brings with it many positive healthcare benefits. Patients can read their providers’ notes and participate in their care decisions. Their doctors can enjoy the ultimate in interoperability—-they can access other providers’ notes to coordinate care and, thereby avoid mistakes, unnecessary visits, procedures, and tests, and reduce the cost of care!
Not sure how to edit a post on here, but I have a correction. I originally thought they asked for 17000 bit coins, no they asked for $17,000 worth of bit coins. Big difference, since a bitcoin is over $400.
Mike Semel just posted a good article on this topic and some things you can do to mitigate the risk: http://www.semelconsulting.com/2016/02/19/security-compliance-are-executive-responsibilities/
As Brendon point out though, it’s a really pernicious evil.
Merle, the problem with your idea is that not every patient is going to care enough to carry around their patient info. Plus, you can’t do population health improvements across a bunch of patient devices. That’s not to say that patients shouldn’t carry around their info, but even if you get patients to carry around all their patient data, organizations are still going to want to have a copy of the patient’s data.
This form of ransomware presents a very serious and urgent problem indeed. Locking up EHR systems creates immediate and serious patient safety and patient access problems. You can imagine if the imaging system goes down during surgery.
Sharing records with other hospitals, as you suggest would be a partially effective solution, and so would giving the patient all their records so that the continuity lies with the patient.
However, the biggest issue is that careflows require many interlocking systems and databases that are realtime and often very large and complex – so cannot be shared in a practical sense with the patient or other hospitals.
For example, if the Bed Management system gets locked up, then figuring out where an open bed exists that matches the patient needs becomes a huge issue that will delay access and slow the entire careflow to a crawl. Likewise, if the medication system is nailed, then checking drug-drug, drug-allergy interaction manually will slow the issue of medications down to a trickle. Knowing whether a patient has met all the prerequisites for surgery today is a very complex workflow with many interacting systems, and if imaging is unavailable during surgery it may require immediate termination and rescheduling – even if the patient was already under and open.
The answer probably lies in systems architecture – why is the operating system allowing this application to access this data. There should be no possible way for a database that is only read/write for specified applications, to be modified by a foreign encryption application. The database should refuse the instruction, the OS should deny access, and the security system should lock the encryption application out.
Many of these exploits are due to shoddy OS and database architecture, and much of the blame goes to vendors and implementors who provide products and systems that are rushed out and are poorly designed.
On the law enforcement and criminal justice side, endangering patient safety should carry very serious penalties, and should be internationally enforced. If you drop ransomware in a hospital, the entire world should be looking for you, and there should be a very lengthy prison sentence awaiting.
Just my 2c
While it’s a great idea to try and propagate data to an offsite location the problem is, when the criminal started infiltrating the hospital, they were already propagating across data lines. Sending the data stream to another hospital risks infecting their network.
The only real way to go back to paper. Since were created this culture of everything online it’s not going away. Until we as the consumers decide that we no longer want our personal data collected and used against us it will continue to happen and it will always be vulnerable in the electronic media. If the criminals aren’t going after it, the corporation collecting it is going after it to feed you customized ads and to use your habits against you…..i.e. you had a fever and you didn’t go to the hospital…..fine….self driving cars in the future….if you don’t have one, insurance goes up because you demand control of your own vehicle….
I shall remove myself from this Soap Box. 🙂
Mike Semel.
First, if consumers/patients don’t carry their records with them at all times we have two choices: do nothing, or states can require that everyone carry their records with them (a la the requirement that every driver have his/her registration and insurance certificate with them when driving a vehicle). The incentive for patients to carry their records is that they will get better care and probably save money— so I expect a great many would do so. WRT states requiring everyone to carry their records, I suspect states will jump at the chance as soon as they understand that doing so will materially reduce the cost of care that they must cover.
Second, I’m not suggesting that providers stop keeping records. On the contrary, there are too many reasons why they need their patients’ records — including population health concerns (maybe someone some day will figure out a way to tap into provider records for that purpose). What I am suggesting is that when patients have copies of all their records from all of their providers, their providers will always have access to their complete picture, not just the narrow view of the patient’s health and issues that are recorded in the provider’s own records for the patient.