MedStar Health's 10 hospitals, and several other North American hospitals, have fallen prey to malware attacks in recent weeks. The attacks, many involving ransomware, highlight why it's so important for healthcare organizations to take critical steps to avoid becoming the next victim, says technology expert Craig Musgrave of The Doctors Company, a provider of cyber insurance and medical liability coverage.
"The No. 1 issue is social engineering; it's the employee negligence," Musgrave says in an interview with Information Security Media Group. All healthcare organizations "should be providing training for all employees .... [because] over 80 percent of the attacks are made possible by human error where they'll click on a link or open an email attachment. If we can train the staff to avoid downloading [suspicious files] or bringing USB devices into the systems, then that's going to cut out a lot of the [ransomware] events that are happening."
But if an employee does make the mistake of clicking on an attachment that launches malware, healthcare organizations must take swift steps to mitigate the impact, he says.
"From the technical standpoint, the IT department needs to be making sure they have the appropriate controls in place around firewalls, application whitelisting and ... intrusion detection," he says.
"You need to be able to detect that something is going on very quickly so that you can stop it from spreading across the organization," Musgrave explains. "Once you're at that point where you can isolate [an infected] computer and take it off the network, then it gets down to how good are your backups, and can you restore systems as quick as possible."
Some hospitals have been able to recover from ransomware attacks without paying extortionists because they had well-prepared backups that enabled them to restore systems and data reasonably swiftly, he says. But other hospitals have had a more difficult struggle because the ransomware spread to main computer systems within the organization, making it more challenging to mitigate the attack, he says.
Hospital Attacks
In February, Hollywood Presbyterian Medical Center in California confirmed that it paid extortionists a $17,000 bitcoin ransom to unlock its data, which was maliciously encrypted by extortionists using ransomware.
But some other hospitals battling recent ransomware attacks, including Chino Valley Medical Center and Desert Valley Hospital in California, have confirmed that that they were able to recover from the attacks without paying ransoms (see Continuing Hospital Ransomware Attacks: A Call to Action).
In the interview (see audio link below photo), Musgrave also discusses:
Cyber insurance issues involving ransomware attacks, including whether policies generally cover ransom payments to extortionists; Medical liability and patient safety issues concerning ransomware attacks; Factors driving the recent surge in ransomware and other cyber attacks hitting hospitals and other healthcare organizations.Musgrave is senior vice president of technology for The Doctors Company. Previously, he was chief technology officer at Monitor Liability, a subsidiary of W.R. Berkley. For more than 20 years, Musgrave has primarily focused on technology within the property and casualty insurance industry.