Bob is a hockey fan. His Facebook timeline is filled with posts about his favorite team and his search for tickets. Bob also works in the department of Health Information Services for a major hospital in a large city. One day Bob receives an email at work informing him that he has won two tickets to the upcoming semi-finals in which his beloved team will be top seeded. Finally entering in every contest for free tickets that popped up on social media had paid off! He eagerly clicks on the link but nothing seems to happen. The next week the hospital's network is down and a shadowy group is demanding thousands of dollars to unlock critical records.
What Bob experienced is called “spear phishing”. Regular “phishing” is to cast a wide net and see who you can “catch”, similar to sending out large amounts of spam emails and hoping that the right person will click on the link. Spear phishing, in contrast, involves targeting a specific individual who has been researched through social media or otherwise and selected based on his accessibility to desired networks
Ransomware is a type of malicious code used by hackers to encrypt a target's files, making a healthcare organization unable to access critical patient data. Once the target clicks on the link and the system is corrupted, the hackers will then offer to unlock the files for a fee in untraceable currency.
How prevalent is ransomware in healthcare organizations? One poll showed that up to 75% of hospitals reported have some sort of ransomware attack in the last year. Since this was self reported, it begs the question as to how many hospitals chose to quietly pay the ransom and not to disclose the attacks.
There is an entire industry devoted to stopping ransomware, and many recommendations to combat these type of attacks including: having a robust back up system, making sure ALL hardware is updated with the latest patches – even the IV pumps in storage and used only rarely, and regular vulnerability scanning and penetration testing as outlined in HIPPA and HITRUST guidelines.
I do think that the biggest factor is being ignored, the human factor. According to CompTIA, an IT industry trade association, human error is responsible for 52% of breaches in network security. Our digital lives and our work lives are becoming increasingly intertwined. Perhaps training employees like Bob in the safe use of social media at home will go a long way towards creating a culture in which safe Internet practices are second nature at home and at work. Something has to be done. A study done in September 2016 by a security firm determined that employees download malware once every four seconds. More focus on this critical area is essential if we want to stop the relentless attacks on our health care records.