Welcome to our two-part series on ransomware in orthopaedics. It's critical for offices to understand the threat that ransomware poses to the security of their electronic health record and computer systems. The good news is, you don't need to be a cybersecurity expert to understand the basics and take steps to protect yourself and your patients. This week, we're taking a deep dive into the origins of ransomware and why practices need to be vigilant.
What is ransomware?
The first documented ransomware attack targeted the healthcare industry in 1989. It is known colloquially as the AIDS Trojan. Attendees of the World Health Organization’s International AIDS conference were targeted with 20,000 infected CDs labeled “AIDS Information – Introductory Diskettes.” When the CD was loaded onto attendees’ computers, after 90 reboots the AIDS Trojan hid directories and encrypted the names of files. To regain access, attendees were required to send $189.00 to the PC Cyborg Corporation at a post office box in Panama. The perpetrator, Joseph L. Popp, was eventually caught but deemed unfit to stand trial due to insanity.
At its core, ransomware continues to function much the same as it did in 1989. It is a malicious form of software that encrypts files on your computer. The writers of the software demand a ransom. After the money is received per their instructions, a de-encryption key is provided to unlock your files. The healthcare industry is a favorite target for ransomware attacks, precisely because medical records can be sold for up to $1000 each on the Dark Web. In fact, healthcare accounted for 29% of total ransomware attacks in 2019, and ransomware incidents have cost the United States healthcare industry over $157 million since 2016.
Why should Your office care about ransomware?
Ransomware methods have evolved to become much more sophisticated, posing a larger threat than most offices take into account. It is highly unlikely that a healthcare employee would load a random disc from an unknown person onto their work computer today. However, newer methods can be much harder to spot unless users remain vigilant. A 2004 ransomware attack tricked people into thinking they were clicking on a job application. Further attacks in 2014 used spam emails and infected Excel or Word documents that encrypted files when opened.
Furthermore, ransomware’s threat level has increased. Ransom amounts have increased to anywhere from a few hundred dollars to millions depending on the software and target. Instead of simply leaving information inaccessible unless the victim pays, in the past few years perpetrators have threatened to publish encrypted files publicly if the ransom is not paid on time. In the case of healthcare organizations, these files would include patient medical records and various types of protected health information. Therefore, ransomware attacks often leave healthcare organizations with an impossible choice; protect patient information and be extorted, or refuse to pay, work with the authorities to investigate, and expose patient identities to bad actors on the web.
The consequences of these attacks can be devastating for orthopaedic practices. Attacks where records are exposed can result in HIPAA and other federal privacy violations. In addition to paying a ransom, your practice could need to pay a third party investigative expert to shut down the breach and shore up your security. Additionally, practices could face legal costs incurred from potential civil suits. In some cases, individual patients can file civil suits claiming negligence along with other complaints. Furthermore, the U.S. Department of Health and Human Services requires covered entities to notify all affected individuals of a data breach within 60 days of its discovery. Patient trust can erode in your practice if such a breach occurs.
Tune in next week as we explore real life cases of ransomware attacks on orthopaedic practices in the past year. We'll also provide tips and recommendations that your IT department can use to increase your system's security.