ArticlePDF Available

Trends in Malware Attacks against United States Healthcare Organizations, 2016-2017

Authors:

Abstract and Figures

Introduction: The healthcare industry has begun seeing a new hazard develop against them- the threat of cyberattack. Beginning in 2016, healthcare organizations in the United States have been targeted for malware attacks, a specific type of cyberattack. During malware incidents hackers can lock users out of their own network to gain access to information or to hold the organization for ransom. With the increase in medical technology and the need for access to this information to provide critical care, this type of incident has the potential to put patient lives and safety at risk. Methods: A content analysis was conducted to assess the trend of attacks on healthcare organizations. U.S. Healthcare IT News and Becker's Hospital Review were used to collect all publicly reported malware attacks against U.S. healthcare organizations between 2016 and 2017. A fault-tree diagram was also developed to illustrate how hackers gain access to a healthcare network using malware. Results: There were 49 cases of malware attacks against U.S. HCOs identified. The attacks occurred across 27 states, and they took place during 18 out of 24 months. Six of the organizations reported paying ransom, whereas 43 organizations did not pay or did not report payment to the press. Impacts of these attacks range from network downtime to patient and staff records being breached. Discussion: Malware attacks have the potential to impact care delivery as well as the healthcare facility itself. Even though this study identified 49 malware attacks, we know this number is significantly higher based on data from HIMSS and the FBI. A reporting loophole exists in that hospitals are only required to report attacks in the case of breached protected health or financial data. For HCOs to fully understand the risk cyberthreats pose, it is important for attacks to become public information and for lessons learned to be shared. Future research reviewing identified attacks could help identify best practices for the healthcare industry to better prepare for cyberattacks.
Content may be subject to copyright.
Branch LE, Eller WS, Bias TK, McCawley MA, Myers DJ, Gerber BJ, Bassler
JR. Trends in Malware Attacks against United States Healthcare
Organizations, 2016-2017. Global Bios ecurity, 2019; 1(1).
1
Global Biosecurity | www.jglobalbiosecurity.com February 2019 | Volume 1 | Issue 1
RESEARCH ARTICLES
Trends in Malware Attacks against United States Healthcare
Organizations, 2016-2017
Lauren E Branch1, Warren S Eller2, Tom K Bias1, Michael A McCawley1, Douglas J Myers1, Brian J Gerber3, John R
Bassler4
1West Virginia University, Morgantown, WV, USA
2The City University Of New York, New York, USA
3Arizona State University, Tempe, AZ, USA
4University of Alabama at Birmingham, Birmingham, AL, USA
Abstract
Introduction: The healthcare industry has begun seeing a new hazard develop against them- the threat of
cyberattack. Beginning in 2016, healthcare organizations in the United States have been targeted for malware
attacks, a specific type of cyberattack. During malware incidents hackers can lock users out of their own network to
gain access to information or to hold the organization for ransom. With the increase in medical technology and the
need for access to this information to provide critical care, this type of incident has the potential to put patient lives
and safety at risk.
Methods: A content analysis was conducted to assess the trend of attacks on healthcare organizations. U.S.
Healthcare IT News and Becker’s Hospital Review were used to collect all publicly reported malware attacks against
U.S. healthcare organizations between 2016 and 2017. A logic diagram was also developed to illustrate how hackers
gain access to a healthcare network using malware.
Results: There were 49 cases of malware attacks against U.S. HCOs identified. The attacks occurred across 27
states, and they took place during 18 out of 24 months. Six of the organizations reported paying ransom, whereas
43 organizations did not pay or did not report payment to the press. Impacts of these attacks range from network
downtime to patient and staff records being breached.
Discussion: Malware attacks have the potential to impact care delivery as well as the healthcare facility itself. Even
though this study identified 49 malware attacks, we know this number is significantly higher based on data from
HIMSS and the FBI. A reporting loophole exists in that hospitals are only required to report attacks in the case of
breached protected health or financial data. For HCOs to fully understand the risk cyberthreats pose, it is important
for attacks to become public information and for lessons learned to be shared. Future research reviewing identified
attacks could help identify best practices for the healthcare industry to better prepare for cyberattacks.
Introduction
Recently, the healthcare industry has been facing a
new type of hazard; bad actors have started targeting
hospitals and other healthcare facilities for
cyberattacks. This industry is particularly vulnerable
to cyberattacks because healthcare providers depend
on up to date information from electronic health data.
This information includes patient histories and test
results, which is often needed at a moment’s notice to
provide critical patient care. Approximately 95% of
hospitals in the United States use health information
technology, such as electronic medical records (1).
Many other health technologies, including glucose
meters, IV pumps, and implanted medical devices, are
also connected to and dependent on the hospital’s
network. With patient safety on the line, hospitals may
be more willing to pay for restored access to their
network. Healthcare organizations (HCOs) have
become much more reliant on health information
technology over the past decade. Another vulnerability
that makes hospitals susceptible to cyberattacks are
the out of date cybersecurity systems at many facilities
and limited training for staff on safe cyber practices
(2). These characteristics combined make HCOs good
targets for attack (1, 3).
The cyberthreats that HCOs now face are complex
and can come both internally and externally to the
network (4). In a survey conducted by the Healthcare
Information and Management Systems Society
(HIMSS) of healthcare organizations, 37.6% of
respondents said their most recent security incident
was caused by an online scam artist, whereas 20.8%
reported a negligent insider and 20.1% reported a
hacker as the cause (5). There are also many points of
entry in to a healthcare network, which have the
potential to make them extremely vulnerable (See
Figures 1 and 2). A point of entry is a way for bad actors
to gain access to a hospital computer or network in
Branch LE, Eller WS, Bias TK, McCawley MA, Myers DJ, Gerber BJ, Bassler
JR. Trends in Malware Attacks against United States Healthcare
Organizations, 2016-2017. Global Bios ecurity, 2019; 1(1).
2
Global Biosecurity | www.jglobalbiosecurity.com February 2019 | Volume 1 | Issue 1
order to achieve something malicious, whether that be
stealing data or delivering a payload virus (6). Some
points of entry identified in the HIMSS Cybersecurity
Survey include email, infected hardware or software,
compromised medical devices, third party website,
and a provider or a service linked to the network via
the cloud (5). Some additional points of entry include
internet access, a wireless network, removable media
(i.e. USB drive, laptop), or theft of equipment (6). In
the 2018 HIMSS Survey, 61.9% of participants
identified e-mail (e.g. phishing e-mail) as the point of
entry in their organization’s most recent significant
security event. Another way that hackers attack is
through backdoors or unpatched vulnerabilities,
which are essentially access points left open across the
network.
Figure 1 displays a sample hardware network of an
HCO. Each switch on the diagram represents multiple
devices connected to the network, and each device
presents their own multiple points of entry via e-mail,
the internet, or USB connections. Depending on the
level of network cybersecurity, an infected phone
being connected to a system computer or an infected
link from an email being clicked can potentially
transfer a virus to the network and spread. Figure 2
shows an example of a software network within an
HCO. In this example, there is a virtual interface with
a corporate office with its own clinical and
administrative management software. There are also
interfaces with many different applications used
around the organization, including imaging, labs,
pharmacy, payroll, and patient scheduling. Each of the
applications represents potential points of entry for
bad actors to break in to the organization. HCOs must
rely on their corporate interfaces as well as third party
vendors to keep their products secure with up-to-date
protections. With so many different points of entry in
to the HCO hardware network, these networks have
become extremely intricate and therefore highly
susceptible to unauthorized access. This complexity
also serves to make the networks hard to secure.
Figures 1 and 2 are based on small hospital network,
but the connectivity displayed in each diagram, a
central hub that interacts with many different devices
and applications, is a set-up seen in the typical U.S.
hospital.
Hackers use different attack techniques to take
advantage of HCO vulnerabilities and gain access to
the network. A common type of attack is a phishing
scam conducted over email. Hackers send an
authentic looking email to hospital staff and include a
link or attachment that unsuspecting users open or
click. Once that content is activated, the hacker gains
access to the network and can get information or
activate a malicious virus (6). Phishing scams are on
the rise; there was a 789% increase in phishing e-mails
from the last quarter in 2015 to the first quarter in
2016 (7). A second type of attack is a malware attack,
which is when malicious code or virus is dispatched
within a computer network (4). One example of
malware attack that is of growing concern for
healthcare organizations is ransomware. In the
HIMSS 2018 Cybersecurity Survey, respondents
ranked perceived threats and ransomware is now
second on the list (11.3%), whereas natural hazard (i.e.
fire or flood) was eleventh on the list (8.3%) (5).
During a ransomware attack, bad actors will lock
users out of a network and demand a ransom payment
to restore access. The first ransomware attack took
place in 1989 when an AIDS researcher, Joseph Popp,
sent 20,000 floppy disks to AIDS researchers in 90
countries. The floppy disks were said to contain a
questionnaire to help determine patient’s risk of
contracting AIDS. When inserted, these disks infected
the computer with a virus that lay dormant until the
90th time they were turned on. Once the computer was
booted for the 90th time, a note would appear on the
screen asking for licensing fees to be paid while locking
the user out of the computer (3). Since 1989,
ransomware attacks have continued and are now
categorized as one of two types: scareware and crypto
ransomware. Scareware will inform a computer user
there is something fatally wrong with their machine
and offer a solution for a small payment. Crypto
ransomware is much more complex, in that it will
encrypt computer files so that they need a certain
decryption key to be opened. These crypto-viruses
have become a lot harder, and many times impossible,
to break even by experts (3).
Similar to the first ransomware attack, hackers
have again shifted their targets to the healthcare
industry. In healthcare, this type of attack can
essentially shut down an organization’s ability to
operate and lock providers out of essential data
needed to provide patient care (8). In May 2017, a
global ransomware attack known as WannaCry was
perpetrated by the North Korean government (9).
Hackers utilized a stolen National Security Agency
(NSA) tool that highlighted a vulnerability of Windows
Operating Systems to gain access to 300,000
computers across 150 countries (9-10). During this
attack, 36 health organizations, including hospitals,
ambulance services, and physicians’ offices, in Great
Britain were locked out of their systems (11).
WannaCry forced the National Health Service to send
patients away from certain facilities in order to receive
the care they needed (11). Homeland Security experts
have said this attack directly put patients’ lives at risk
(10).
This type of cyberattack against organizations has
become more frequent in occurrence (12). In April
2016, there was a 159% jump seen in ransomware
attacks from the month before. This was a huge rise
from the normal 9-20% monthly increase that had
previously been seen (13). In 2015, across all
industries, the Federal Bureau of Investigation (FBI)
reportedly received more than 2,500 ransomware
complaints, which cost the victims $214 million (14).
A 2016 IT report stated 93% of phishing emails now
contained ransomware (7). In 2018, the city of Atlanta
Branch LE, Eller WS, Bias TK, McCawley MA, Myers DJ, Gerber BJ, Bassler
JR. Trends in Malware Attacks against United States Healthcare
Organizations, 2016-2017. Global Bios ecurity, 2019; 1(1).
3
Global Biosecurity | www.jglobalbiosecurity.com February 2019 | Volume 1 | Issue 1
fell victim to a ransomware attack and lost many of its
critical municipal systems. This attack alone cost the
city $2.7 million to recover (15).
In February 2016, an outbreak of ransomware
attacks against United States hospitals began at
Hollywood Presbyterian Medical Center in Los
Angeles, California. The hospital was offline for over a
week before deciding to pay the ransom (16).
Approximately $17,000 was paid and the hospital
regained access to its operating systems (17). Since this
initial attack, there has been a surge in reported
malware attacks of healthcare providers across the
United States. These attacks can be extremely costly
for HCOs (18). A hospital in New York was attacked in
2017 and it has been estimated that their recovery cost
was almost $10 million, including hardware, software,
extra staff hours, overtime hours, and loss of business
costs (19). The on-going fixes and upgrades to the
hospital system are estimated to be an additional
$250,000 to $450,000 a month (19). In the most
recent HIMSS Cybersecurity Survey, 75.7% of
respondents reported a significant security incident in
the past 12 months (5).
The best way for hospitals to protect themselves is
to be proactive and take steps to strengthen their
potential vulnerabilities and weaknesses. Hospitals
need to conduct risk assessments to better understand
how large the risk malware attacks pose to their
organization, as well as how big an impact successful
attacks can have on operations. Once they have a risk
analysis of malware attacks, HCOs can decide which
fixes to their system make the most sense financially
to offer the most protection.
Lack of reliable reporting on frequencies and
impact of this type of attack make it difficult for the
healthcare industry to better secure their systems. The
risk reports that do exist do not expand on the nature
and scope of these successful attacks. Some of these
incidents only affect a few computer terminals,
whereas other incidents have a more significant
impact on the organization and have the potential to
affect patient care and safety. Due to the inherent
nature of hospitals and the initial ransom payment
made by Hollywood Presbyterian Medical Center,
these types of incidents are only expected to continue
to grow in frequency.
Currently, there are popular media reports on these
attacks, but there is no methodology for consistently
tracking hospital attacks over time. This study seeks to
address this gap by assessing the trend of malware
attacks on HCOs over time. This objective will be
achieved by reviewing publicly-reported, successful
attacks on healthcare organizations within the United
States between 2016 and 2017. The final product of
this analysis will be a timeline of reported ransomware
attacks on hospitals, as well as a summary of what data
is being reported with each attack. A logic diagram will
also be developed to show the process of a malware
attack on an HCO. Without a better understanding of
this type of threat, healthcare organizations cannot
adequately protect their organization or their patient’s
safety (4).
Methods
A content analysis was conducted of news articles
related to hospital malware attacks. The new sites
Healthcare IT News and Becker’s Hospital Review
were used as data sources. Healthcare IT News is a site
published by Healthcare Information and
Management Systems Society (HIMSS) and is one of
the most comprehensive news sources for information
on healthcare information technology. Becker’s
Hospital Review is another well-known and reputable
source of information related to information
technology in the field of healthcare. A search of these
databases was conducted using a combination of the
keywords “hospital” or “healthcare”, “malware” or
“ransomware” and “attack”. These articles were
reviewed for relevance to the research question.
Inclusion criteria for articles were references to
malware or ransomware attacks on hospitals or
healthcare facilities within the United States during
2016 and 2017. Articles that discussed data breaches
caused by hackers or misplaced hardware, as well as
articles that discussed phishing scams, were excluded
from this analysis.
The included articles were analyzed to identify
cases, which were then were formatted into timelines
to summarize the number and locations of reported
malware attacks. Upon further investigation and
research, each case was also reviewed for date of
attack, name of facility or organization, location, how
many facilities were affected, what the impact on the
facility was, and if any outcome was disclosed. If the
articles referenced a data breach, that information was
cross referenced with the U.S. Department of Health
and Human Services Office of Civil Rights Breach
Report Database. The HITECH Act requires that all
data breaches impacting 500 or more individuals be
reported in this database. This data was put in to a
table to summarize the extent of publicly-reported
malware attacks on United States hospitals between
2016 and 2017, and to identify trends within this
dataset.
A logic diagram was also created to illustrate a
malware attack on a hospital network through a
phishing attempt. This diagram walks through the
steps of a phishing ransomware attack in which a
hacker gains access to the network. The logic diagram
was created using data collected during qualitative
interviews with subject matter experts, including a
Chief Information Officer, a Chief Information
Security Officer, a Senior Network Administrator, and
a Healthcare IT Manager. It uses a hypothetical
hospital to show the extent of a successful phishing
attack, and the breadth of access to data and
applications a hacker could potentially gain in to a
secure network.
Branch LE, Eller WS, Bias TK, McCawley MA, Myers DJ, Gerber BJ, Bassler
JR. Trends in Malware Attacks against United States Healthcare
Organizations, 2016-2017. Global Bios ecurity, 2019; 1(1).
4
Global Biosecurity | www.jglobalbiosecurity.com February 2019 | Volume 1 | Issue 1
Figure 1. Hardware Network Diagram
Note: Below are brief explanations of the purpose each hardware device in this figure. A server is a computer that either provides information to
other computers or stores files which can be access from other computers. A router is the director of communication traffic between devices (e.g.
computers). A firewall is a form of security u sed to keep unauthorized users out of a network. A mainframe is a computer where large organizations
store their critical applications that are access through the network. A switch is a networking device that connects multiple computers to the
network. The internet connection is the organizational connection to outside networks.
Results
Malware Attacks, United States 2016-2017
Overall, this study discovered 49 reported cases of
malware attacks on U.S. Healthcare Organizations
during 2016 and 2017. There were 22 malware attacks
in 2016 and 27 malware attacks in 2017. Figures 3 and
4 present these healthcare attack cases, respectively.
This analysis has shown attacks occur all over the
country and take place all year long. The data collected
showed there were malware attacks on HCOs in 13
states in 2016 and 20 states in 2017. A map of the
United States displaying frequency of malware attacks
for both years is shown in Figure 5. The state with the
most attacks was California with 9 attacks across both
years. There were 16 states that saw one attack across
both years. Both years had attacks reported in 9
different months. The attacks are affecting more than
just hospitals across the country. One attack against a
health system impacted 10 hospitals and 250
outpatient clinics in the D.C./Maryland region.
Another attack against a health system saw impacted
hospitals across state lines. Some of the attacks only
impacted one facility, but often that facility lost access
to its medical records.
Each of the 49 identified cases did not have the
same impact to their respective healthcare
organization. Tables 1 through 4 present impact
details of the identified malware attacks. Forty-one of
Branch LE, Eller WS, Bias TK, McCawley MA, Myers DJ, Gerber BJ, Bassler JR. Trends in Malware Attacks against United States
Healthcare Organizations, 2016-2017. Global Biosecurity, 2019; 1(1).
5
Global Biosecurity | www.jglobalbiosecurity.com February 2019 | Volume 1 | Issue 1
Figure 2. Software Network Diagram
Note: This diagram is an example software network, which is typical for HCOs. There is a central network hub that interacts with the numerous software applications, and in
this example also is connected to an outside corporate network.
Branch LE, Eller WS, Bias TK, McCawley MA, Myers DJ, Gerber BJ, Bassler JR. Trends in Malware Attacks against United States
Healthcare Organizations, 2016-2017. Global Biosecurity, 2019; 1(1).
6
Global Biosecurity | www.jglobalbiosecurity.com February 2019 | Volume 1 | Issue 1
Figure 3. Timeline of Hospital Malware Attacks in the United States, 2016
Branch LE, Eller WS, Bias TK, McCawley MA, Myers DJ, Gerber BJ, Bassler JR. Trends in Malware Attacks against United States
Healthcare Organizations, 2016-2017. Global Biosecurity, 2019; 1(1).
7
Global Biosecurity | www.jglobalbiosecurity.com February 2019 | Volume 1 | Issue 1
Figure 4. Timeline of Hospital Malware Attacks in the United States, 2017
Branch LE, Eller WS, Bias TK, McCawley MA, Myers DJ, Gerber BJ, Bassler
JR. Trends in Malware Attacks against United States Healthcare
Organizations, 2016-2017. Global Bios ecurity, 2019; 1(1).
8
Global Biosecurity | www.jglobalbiosecurity.com February 2019 | Volume 1 | Issue 1
the cases were labeled as ‘ransomware’ attacks (shown
in Table 1). The articles reported that at least six
organizations paid ransom (shown in Table 2). In one
case (Kansas Heart Hospital), the hospital paid
ransom and the hackers released only a portion of
their files before demanding a second ransom. They
did not pay the second ransom demand (20). The
other cases either did not pay or did not disclose a
payment to the press. Some of the articles reported
outage times for the organizations, which ranged from
1 day to about 2 weeks (show in Table 3). The most
frequent time offline that was reported was one week.
The first ransomware attack against a hospital,
Hollywood Presbyterian, paid $17,000 after a stand-
off with hackers and almost two weeks offline. Another
major impact identified was compromised patient or
staff records. Sixteen of the attacks reported no
records breached. Seventeen of the attacks reported
less than 50,000 records impacted. The highest
number of records reported 500,000 breached
records, with three other attacks reporting more than
200,000 breached records (shown in Table 4).
One of the issues identified while completing this
content analysis was the lack of consistency in
reporting and defining this type of attack. Across all
identified cases, there were different search terms
required to identify certain cases. Table 5 shows the
different terms that were required to find different
cases. Ten of the cases only showed up in searches
using the term “cyberattack”, eight only showed up
using the term “malware”, and ten only showed up
using the term “ransomware”. The other 21 cases were
identifiable using more than one of the listed search
terms. This lack in consistent reference words make it
difficult to fully identify all reported cases.
Logic diagram
Due to the complexity of healthcare organizations,
there are a few steps hackers must go through to gain
access. Figure 6 presents the steps as they would occur
in an email phishing attack. The attack begins when a
hacker sends mass emails to employees within an
organization attempting to deceive at least one
employee. The email would either contain a malicious
link or attachment within that would allow the hacker
to gain shell credentials to the organization. With the
counterfeit credentials the hacker can impersonate the
employee within the system, and depending upon the
level of access they have, gain direct access to network
applications or they can find another user credential
with higher level access.
Once the hacker gains administrative level access,
they can permeate across the organization’s network
to find the information they are looking for. In this
scenario, Figure 6 shows the applications and
confidential data the hacker would gain access to in
this HCO. The software applications include
timekeeping, imaging, medical scribing, catheter
laboratory services, obstetrics and gynecology clinical
services, the network email exchange and all
organizational file shares. From this access, the hacker
has access to protected health information,
proprietary business data, payroll information, and
other confidential data, such as social security
numbers of patients and staff members.
Figure 5. Frequency of Malware Attacks in the United States, 2016-2017
Branch LE, Eller WS, Bias TK, McCawley MA, Myers DJ, Gerber BJ, Bassler
JR. Trends in Malware Attacks against United States Healthcare
Organizations, 2016-2017. Global Bios ecurity, 2019; 1(1).
9
Global Biosecurity | www.jglobalbiosecurity.com February 2019 | Volume 1 | Issue 1
Table 1. Terminology Used to Describe Attack, U.S. Malware Attacks 2016-2017
Table 2. Ransom Payments, U.S. Malware Attacks 2016-2017
Table 3. Network/System Time Offline, U.S. Malware Attacks 2016-2017
Table 4. Number of Medical Records Impacted, U.S. Malware Attacks 2016-2017
Table 5. Search Engine Terminology, U.S. Malware Attacks 2016-2017
If the hacker’s goal is to deliver a malicious
payload, such as ransomware, the hacker can choose
where to drop it once they gain access to these
organizational applications on the network. They can
choose a location which would cause the biggest
service disruption to increase likelihood the
organization will pay the ransom demand.
Once a hacker gains access to the HCO’s network,
the HCO itself has limited options on how to stop
access. The first step is that the HCO must realize they
have someone with malicious intent inside their
network. Often in the case of ransomware attacks, this
does not happen until applications stop working or a
ransom note appears on desktops across the
organization. In cases like this, it is imperative the
HCO shuts everything on the network down to stop the
spread of the virus and to cut off the hacker’s access to
the network. This step would also cut off all users’
access to the network and cause a complete
organization-wide downtime. Once the network is
shutdown, the HCO can conduct impact assessments
to see how much damage has been done, if any, and
can begin their recovery and business continuity
processes. If the HCO decides not to shut down the
network, the hacker has continued access to the
network and the virus can continue to spread infecting
more hard-drives.
Frequency Percentage Frequency Percentage Frequency Percentage
522.73 311.11 816.33
17 77.27 24 88.89 41 83.67
Ransomware
Malware
2017
Term inology
Frequency Percentage Frequency Percentage Frequency Percentage
522.73 13.70 612.24
17 77.27 26 96.30 43 87.76
Payment Reported
No
Yes
2017
Frequency Percentage Frequency Percentage Frequency Percentage
00 233.33 214.29
0 0 116.67 17.14
337.5 00 3 21.43
112.5 233.33 321.43
112.5 0 0 17.14
0 0 116.67 17.14
112.5 00 1 7.14
225 00 2 14.29
14 .21 .35 -
2017
Time O ffline
Missing
5 days
3 week s
> 2 week s
2 week s
1 week
>a week
>3d ays
1 day
Frequency Percentage Frequency Percentage Frequency Percentage
743.75 936.00 16 39.02
425.00 520.00 921.95
531.25 312.00 819.51
00.00 28.00 24.88
00.00 28.00 24.88
00.00 416.00 49.76
6 - 2 - 8 -
Impact Range
Less than 10,000
0
Missing
200,000 and Above
100,000 to 200,000
50,000 to 100,000
10,000 to 50,000
2017
Frequency Percentage Frequency Percentage Frequency Percentage
29.09 829.63 10 20.41
522.73 311.11 816.33
627.27 414.81 10 20.41
940.91 12 44.44 21 42.86
Malware
Cyber a ttack
2017
Search Engine
Ransomware / More than one
Ransomware
Branch LE, Eller WS, Bias TK, McCawley MA, Myers DJ, Gerber BJ, Bassler
JR. Trends in Malware Attacks against United States Healthcare
Organizations, 2016-2017. Global Bios ecurity, 2019; 1(1).
10
Global Biosecurity | www.jglobalbiosecurity.com February 2019 | Volume 1 | Issue 1
Figure 6. Logic Diagram
Discussion
Over the last few years, we have seen an increase in
this trend of cyber targeting healthcare organizations.
This content analysis found 49 instances of malware
attack on U.S. healthcare organizations during the
years 2016 and 2017. These attacks occurred all over
the country; with 27 states having a reported attack
during this period. The attacks also impact all areas of
healthcare delivery, including hospitals, primary care,
outpatient clinics, medical suppliers, and electronic
medical record providers.
With aspects of care delivery at risk, malware
attacks are a threat to patient safety (6). The 49 attacks
identified through this analysis had ranging levels of
impact, but all were required to go offline for a period
of time to stop the spread of the computer virus.
Providing care without access to patient history can be
hazardous. For example, without the system’s
automated checks and balances in place while
prescribing medications, there is a chance that
something in the patient chart gets overlooked.
Medical devices are also at-risk during malware
attacks, including therapeutic equipment (infusion
pumps), life-support equipment (ventilators) and
diagnostic equipment (PET scanners). Any of these
devices can serve as backdoors in to healthcare
networks if not secured. One report reviewed three
case studies where medical devices were used by
hackers to break in and move through a network (21).
Malware attacks can also affect patients and staff in
ways other than through provision of healthcare
services. Attacks can have direct impacts on the facility
itself, which potentially has downstream impacts on
patient care. At least one of the attacks from this
Branch LE, Eller WS, Bias TK, McCawley MA, Myers DJ, Gerber BJ, Bassler
JR. Trends in Malware Attacks against United States Healthcare
Organizations, 2016-2017. Global Bios ecurity, 2019; 1(1).
11
Global Biosecurity | www.jglobalbiosecurity.com February 2019 | Volume 1 | Issue 1
analysis saw impacts to their security systems. The
hospital’s security cameras went offline and they were
forced to go in to lockdown until the cameras could be
brought back online. Another system potentially at
risk is the HVAC system. Without environmental
temperature regulation, there is the possible need for
evacuation of patients. Finally, as seen in other
cyberattacks, the electrical grid and water treatment
are also potential targets (22). Without power or clean
water, hospitals could no longer provide care and
would also be required to move patients. Evacuation
of a hospital is an extreme undertaking regarding
staffing and resource needs, as well as finding
equivalent bed capacity to take patients. An extreme
example of the impact of power loss and evacuation on
patient care was seen during Hurricane Katrina at
Memorial Hospital where physicians decided which
patients to save and hastened the death of others (23).
This is the first known content analysis to develop
a list of malware attacks across the healthcare
industry. One limitation of this research is the reliance
on public reports of attacks. Not all attacks are being
reported and most of the reported attacks are large
scale incidents. Based on FBI and HIMSS data, we
know that this is a much bigger problem. The FBI
urges HCOs to report attacks, but ultimately this is left
up to the discretion of the facility. Attacks are only
required to be reported when medical or financial
information has been compromised. One reason for
not reporting is that HCOs do not want to risk their
reputation or income by being labeled a victim. This
reporting loophole makes it much harder for the
industry to get a clear picture of the attack trend (24).
Another limitation is the lack of consistency in reports
of each attack. This study tried to combat this
inconsistency by using multiple search terms
including ‘malware’, ‘ransomware’, and ‘cyberattack’.
With different terminology used in reports, there are
potentially cases that are being reported but might not
be captured by the content analysis. Even with this
limitation, the dynamic understanding provided
through this content analysis will illustrate the
frequency and types of cyberattacks, which has not
been previously researched. The sample of this
analysis only includes successful attacks, but there are
also many more institutions who are vulnerable to
attack (5). There is a need for the healthcare industry
to push for more public data regarding this hazard. If
attacks were reported to a single database, this
information could be accessed in one location and
used to better educate healthcare administrators on
the risk that cyberattacks pose to healthcare delivery
and to business continuity. This information could
also be used to better develop a more accurate hazard
vulnerability assessment (HVA) for HCOs. A well-
informed HVA is the basis for effective preparedness
and response planning within emergency
management.
In 2018, this trend against the healthcare industry
continues to grow. As of September 2018, there have
been reported malware attacks every month of the
year affecting health systems, hospitals, third-party
medical suppliers, hospice care, provider clinics, and
medical device manufacturers. Healthcare
Organizations have a few recommended actions they
can take to protect their networks, including
developing a security culture within the organization.
It is recommended that HCOs teach safe-use habits to
all staff and test on these rules. There are also IT
solutions to protect against cyberattacks, such as the
use of strong firewalls, antivirus software, intrusion
detection and even limiting network access (21).
Another avenue HCOs can explore in preparing for
cyber threats is procuring cyber insurance. The costs
of attacks are estimated to be in the trillions worldwide
by 2020 (25). Cyber insurance is a way to protect the
HCO enterprise. Insurance companies will do a full
assessment of an organization’s IT capabilities and
offer differing levels of coverage for a price. Often,
insurance does not cover loss of revenue from
downtime during attacks (25). As this type of threat
continues to evolve, so too will cyber insurance
policies.
Cyber threats to our society are only expected to
grow over time. A 2017 article from the American
Public Health Association cited a cyber-firm report
that estimates that over the next five years,
cyberattacks would cost the United States Healthcare
system $305 billion in revenue and these attacks
would affect 1 in 13 patients (26). Due to the relatively
low number of cases identified in this content analysis,
a follow-up systematic review on this topic would be
appropriate to compare reporting trends of these
events. There is also a need for future research in this
area to better define what happens within an HCO
during an attack. Further review of attack cases could
highlight lessons learned and potentially identify best
practices. This research will help HCOs better
understand this hazard in order to prepare for and
plan for mitigation of this threat. The healthcare
industry has a choice to make when it comes to
emergency preparedness: are they going to prepare
their organization to prevent threats and protect
patient health, or are they going to rely on the recovery
of cyber insurance?
References
1. Luna R, Rhine E, Myhra M, Sullivan R, Kruse,
C.S. (2016). Cyber threats to health information
systems: a systematic review. Technology and
Health Care. 2016;24: 1-9. DOI:
https://doi.org/10.3233/THC-151102
2. Kruse CS, Frederick B, Jacobson T, Monticone
DK. Cybersecurity in healthcare: A systematic
review of modern threats and trends. Technology
and Health Care. 2017;25(1):110. DOI:
https://doi.org/10.3233/THC-161263
3. Waddell K. The computer virus that haunted
early AIDS researchers [Internet]. The Atlantic.
Branch LE, Eller WS, Bias TK, McCawley MA, Myers DJ, Gerber BJ, Bassler
JR. Trends in Malware Attacks against United States Healthcare
Organizations, 2016-2017. Global Bios ecurity, 2019; 1(1).
12
Global Biosecurity | www.jglobalbiosecurity.com February 2019 | Volume 1 | Issue 1
Atlantic Media Company; 2016 [cited 2018Nov2].
Available from:
https://www.theatlantic.com/technology/archiv
e/2016/05/the-computer-virus-that-haunted-
early-aids-researchers/481965/
4. Narayana Samy G, Ahmad R, Ismail Z. Security
threats categories in healthcare information
systems. Health Informatics Journal.
2010;16(3):2019.
DOI:
https://doi.org/10.1177/1460458210377468
5. HIMSS North America. 2018 HIMSS
cybersecurity survey [Internet]. 2018 [cited
2018Nov4]. Available from:
https://www.himss.org/sites/himssorg/files/u1
32196/2018_HIMSS_Cybersecurity_Survey_Fi
nal_Report.pdf
6. Ayala L. Cybersecurity for hospitals and
healthcare facilities a guide to detection and
prevention. Berkeley, CA: Apress; 2016. DOI:
https://doi.org/10.1007/978-1-4842-2155-6
7. 93% of phishing emails contain ransomware
[Internet]. Becker's Hospital Review. 2016 [cited
2018Nov2]. Available from:
https://www.beckershospitalreview.com/health
care-information-technology/93-of-phishing-
emails-contain-ransomware.html
8. Siwicki B. Hackers hit 320% more healthcare
providers in 2016 than in 2015, per HHS data
[Internet]. Healthcare IT News. 2017 [cited
2018Nov2]. Available from:
https://www.healthcareitnews.com/news/hacke
rs-hit-320-more-healthcare-providers-2016-
2015-hhs-data
9. Nakashima E. Russian military was behind
'NotPetya' cyberattack in Ukraine, CIA concludes
[Internet]. The Washington Post. WP Company;
2018 [cited 2018Nov2]. Available from:
https://www.washingtonpost.com/world/nation
al-security/russian-military-was-behind-
notpetya-cyberattack-in-ukraine-cia-
concludes/2018/01/12/048d8506-f7ca-11e7-
b34a-
b85626af34ef_story.html?utm_term=.d3c66123
570b
10. Chappell B, Neuman S. U.S. says North Korea
'directly responsible' for WannaCry ransomware
attack [Internet]. NPR. NPR; 2017 [cited
2018Nov2]. Available from:
https://www.npr.org/sections/thetwo-
way/2017/12/19/571854614/u-s-says-north-
korea-directly-responsible-for-wannacry-
ransomware-attack
11. Perlroth N, Sanger DE. Hackers hit dozens of
countries exploiting stolen N.S.A. tool [Internet].
The New York Times. The New York Times; 2017
[cited 2018Nov2]. Available from:
https://www.nytimes.com/2017/05/12/world/e
urope/uk-national-health-service-
cyberattack.html?_r=0
12. Larson S. Massive ransomware attack hits 99
countries [Internet]. CNNMoney. Cable News
Network; [cited 2018Nov2]. Available from:
http://money.cnn.com/2017/05/12/technology/
ransomware-attack-nsa-microsoft/index.html
13. Lee S. Researchers says April was the worst-ever
month for ransomware attacks [Internet].
Newsweek. 2016 [cited 2018Nov2]. Available
from: http://www.newsweek.com/ransomware-
attacks-reached-record-high-april-and-not-
slowing-down-report-455239
14. Radke BA, Waters MJ, Cleary JC. Ransomware
rises among hospitals [Internet]. Lexology. 2016
[cited 2018Nov2]. Available from:
http://www.lexology.com/library/detail.aspx?g
=8f3d29a5-2f87-42b8-ada1-54a109e38b3f
15. Spitzer J. Atlanta's ransomware attack cost
$2.7M [Internet]. Becker's Hospital Review. 2018
[cited 2018Nov2]. Available from:
https://www.beckershospitalreview.com/cybers
ecurity/atlanta-s-ransomware-attack-cost-2-
7m.html
16. Barrett B. Hack Brief: Hackers are holding an LA
hospital's computers hostage [Internet]. Wired.
Conde Nast; 2017 [cited 2018Nov2]. Available
from: https://www.wired.com/2016/02/hack-
brief-hackers-are-holding-an-la-hospitals-
computers-hostage/
17. Winton R. Hollywood hospital pays $17,000 in
bitcoin to hackers; FBI investigating [Internet].
Los Angeles Times. Los Angeles Times; 2016
[cited 2018Nov2]. Available from:
http://www.latimes.com/business/technology/l
a-me-ln-hollywood-hospital-bitcoin-20160217-
story.html
18. Reed T. [Internet]. bizjournals.com. 2016 [cited
2018Nov2]. Available from:
http://www.bizjournals.com/washington/news/
2016/04/06/medstar-hackers-exploited-design-
flaw-from-2007-to.html
19. Davis HL. ECMC spent nearly $10 million
recovering from massive cyberattack [Internet].
The Buffalo News. The Buffalo News; 2017 [cited
2018Nov2]. Available from:
https://buffalonews.com/2017/07/26/cost-
ecmc-ransomware-incident-near-10-million/
20. Siwicki B. Ransomware attackers collect ransom
from Kansas hospital, don't unlock all the data,
then demand more money [Internet]. Healthcare
IT News. 2016 [cited 2018Nov2]. Available from:
http://www.healthcareitnews.com/news/kansas
-hospital-hit-ransomware-pays-then-attackers-
demand-second-ransom
21. TrapX Labs. Anatomy of an attack: MEDJACK
[Medical Device Hijack] [Internet]. TrapX
Security. 2015 [cited 2018Nov4]. Available from:
http://trapx.com/wp-
content/uploads/2017/08/AOA_Report_TrapX
_AnatomyOfAttack-MEDJACK.pdf
Branch LE, Eller WS, Bias TK, McCawley MA, Myers DJ, Gerber BJ, Bassler
JR. Trends in Malware Attacks against United States Healthcare
Organizations, 2016-2017. Global Bios ecurity, 2019; 1(1).
13
Global Biosecurity | www.jglobalbiosecurity.com February 2019 | Volume 1 | Issue 1
22. Naylor B. Russia hacked U.S. power grid - So
what will the Trump Administration do about it?
[Internet]. NPR. NPR; 2018 [cited 2018Nov2].
Available from:
https://www.npr.org/2018/03/23/596044821/r
ussia-hacked-u-s-power-grid-so-what-will-the-
trump-administration-do-about-it
23. During Katrina, 'Memorial' doctors chose who
lived, who died [Internet]. NPR. NPR; 2013 [cited
2018Nov6]. Available from:
https://www.npr.org/2013/09/10/220687231/d
uring-katrina-memorial-doctors-chose-who-
lived-who-died
24. Evans M. Why some of the worst cyberattacks in
health care go unreported [Internet]. The Wall
Street Journal. Dow Jones & Company; 2017
[cited 2018Nov2]. Available from:
https://www.wsj.com/articles/why-some-of-
the-worst-cyberattacks-in-health-care-go-
unreported-1497814241
25. Siwicki B. What to know about risk, coverage
before you buy cyber insurance [Internet].
Healthcare IT News. 2018 [cited 2018Nov2].
Available from:
https://www.healthcareitnews.com/news/what-
know-about-risk-coverage-you-buy-cyber-
insurance
26. Krisberg K. Cybersecurity: Public health
increasingly facing threats. The Nation’s Health.
2017;107(8): 1195.
How to cite this article: Branch LE, Eller WS, Bias TK, McCawley MA, Myers DJ, Gerber BJ, Bassler JR. Trends in Malware Attacks
against United States Healthcare Organizations, 2016-2017. Global Biosecurity, 2019; 1(1).
Published: February 2019
Copyright: Authors of articles published remain the copyright holders and grant third parties the right to use, reproduce, and share the
article according to the Creative Commons license agreement.
Global Biosecurity is a peer-reviewed open access journal published by University of New South Wales.
... In reference to the dataset in Figure 2 for example, malware attacks were primarily responsible for 48.0 percent of major cybersecurity incidents while phishing attacks accounts for 19.7 percent of them. The percent of major incidents caused by malware attacks as reported in this study is very likely to be the result of the computerization of many enterprises and the user interaction with these computer attacks [56], [57]. DoS/DDoS on the other hand, caused 13.5 percent of the major cybersecurity incidents identified in this study. ...
Article
Full-text available
The exponential growth in the interconnectedness of people and devices, as well as the upward trend in cyberspace usage will continue to lead to a greater reliance on the internet. Most people’s daily activities are dependent on their ability to navigate the internet to access and manage information. There are usually real risks associated with managing or accessing information, and these risks when exploited by threat actors, often lead to cybersecurity incidents. It is a common knowledge that a major cybersecurity incident is likely to result in significant financial losses, legal liability, privacy violations, reputational damage, sensitive data compromises, as well as national security implications. Threat actors usually employ various attack techniques to cause these incidents. After we identified the major cybersecurity incident report that is consolidated by the Center for Strategic & International Studies from which we derived the data about the 803 major incidents that we analyzed, we then verified its credibility, non-partisan, global outreach and cybersecurity attack coverage by cross-referencing it with Data Breach Investigation Report (DBIR). We also through the lens of the Global Cybersecurity Index (GCI) ensured that this study is conducted within the context of cybersecurity principles. In reference to these attack techniques employed by threat actors, we conducted an exploratory investigation of 803 major cybersecurity incidents that were reported over the last decade. From a group of 244 of these major security incidents that happened and were reported between 2005 and 2021, this study reports that malware attack techniques were employed by threat actors to cause 48 percent of them and phishing attack techniques account for 19.7 percent of them. As many sources have confirmed the fact that major incidents will always happen, we highlighted the importance of readiness of organizations to conduct cybersecurity incident triage and or thorough investigation as necessary. Given the relevance of the guidelines outlined in the National Institute of Standards and Technology (NIST) incident response framework, we recommend that organizations should adopt it or similar guidelines as best as possible.
... Humanitarian reasons do not apply to this type of cyberattack, "if you allow others to access your information, you pay for it", it does not matter if the lives of patients are compromised, there are no scruples, as evidenced in different hospitals around the world [20,21], where countries such as the United States [22], Great Britain [23], France, Asia, Europe [24,25] and the Middle East have been the hardest hit. ...
Article
Full-text available
El Internet de las Cosas es una de las tecnologías con mayor incursión y expansión en el mercado de servicios, haciéndola atractiva a los ciberataques debido a sus diversas vulnerabilidades, tanto en sus protocolos como en su implementación. Esto trae consigo aspectos que la industria y los usuarios deben tener en cuenta para minimizar el riesgo de sufrir diversos tipos de ataques, comprometiendo información sensible en el proceso. En este sentido, se muestra un estudio sobre las ventajas y desventajas del IoT, enfocándose en la protección de la información a partir de sus fallas presentes, que eventualmente habrá que tener en cuenta para futuros desarrollos que involucren la gestión y administración de datos a través de dispositivos. inteligente. La metodología utilizada se basa en una investigación teórica y cuasi-experimental representada en las habilidades y experiencia en hacking ético aplicado al entorno corporativo. De esta forma, se exponen las fallas más representativas en materia de ciberseguridad relacionadas con el IoT, para que sean atendidas por empresas y personal encargado de su seguridad.
... Computation is increasingly outsourced to remote cloudcomputing services [1], [2]. Encryption provides security as data is transmitted over the internet. ...
Preprint
Full-text available
Homomorphic Encryption (HE) enables users to securely outsource both the storage and computation of sensitive data to untrusted servers. Not only does HE offer an attractive solution for security in cloud systems, but lattice-based HE systems are also believed to be resistant to attacks by quantum computers. However, current HE implementations suffer from prohibitively high latency. For lattice-based HE to become viable for real-world systems, it is necessary for the key bottlenecks - particularly polynomial multiplication - to be highly efficient. In this paper, we present a characterization of GPU-based implementations of polynomial multiplication. We begin with a survey of modular reduction techniques and analyze several variants of the widely-used Barrett modular reduction algorithm. We then propose a modular reduction variant optimized for 64-bit integer words on the GPU, obtaining a 1.8x speedup over the existing comparable implementations. Next, we explore the following GPU-specific improvements for polynomial multiplication targeted at optimizing latency and throughput: 1) We present a 2D mixed-radix, multi-block implementation of NTT that results in a 1.85x average speedup over the previous state-of-the-art. 2) We explore shared memory optimizations aimed at reducing redundant memory accesses, further improving speedups by 1.2x. 3) Finally, we fuse the Hadamard product with neighboring stages of the NTT, reducing the twiddle factor memory footprint by 50%. By combining our NTT optimizations, we achieve an overall speedup of 123.13x and 2.37x over the previous state-of-the-art CPU and GPU implementations of NTT kernels, respectively.
... Computation is increasingly outsourced to remote cloudcomputing services [1], [2]. Encryption provides security as data is transmitted over the internet. ...
Conference Paper
Full-text available
Homomorphic Encryption (HE) enables users to securely outsource both the storage and computation of sensitive data to untrusted servers. Not only does HE offer an attractive solution for security in cloud systems, but lattice-based HE systems are also believed to be resistant to attacks by quantum computers. However, current HE implementations suffer from prohibitively high latency. For lattice-based HE to become viable for real-world systems, it is necessary for the key bottlenecks-particularly polynomial multiplication-to be highly efficient. In this paper, we present a characterization of GPU-based implementations of polynomial multiplication. We begin with a survey of modular reduction techniques and analyze several variants of the widely-used Barrett modular reduction algorithm. We then propose a modular reduction variant optimized for 64-bit integer words on the GPU, obtaining a 1.8× speedup over the existing comparable implementations. Next, we explore the following GPU-specific improvements for polynomial multiplication targeted at optimizing latency and throughput: 1) We present a 2D mixed-radix, multi-block implementation of NTT that results in a 1.85× average speedup over the previous state-of-the-art. 2) We explore shared memory optimizations aimed at reducing redundant memory accesses, further improving speedups by 1.2×. 3) Finally, we fuse the Hadamard product with neighboring stages of the NTT, reducing the twiddle factor memory footprint by 50%. By combining our NTT optimizations, we achieve an overall speedup of 123.13× and 2.37× over the previous state-of-the-art CPU and GPU implementations of NTT kernels, respectively.
... For example, in the health-care industry, hackers use ransomware to force organisations to pay. A likely explanation is that, after an attacker has gained access to an organization's network, the hacker will choose to deliver a malicious script, such as ransomware, to a sensitive location that causes service disruption in order to increase the likelihood that the company will pay the ransom demand (Branch et al., 2019). However, there is other empirical research has asserted the association between hackers and financial gain. ...
Technical Report
Full-text available
... Furthermore, other characteristic examples in 2016 and 2017 were the cyberattacks against Princeton Community Hospital and MedStar Health Inc., a non-profit healthcare company [4]. Only during 2016 and 2017, 49 critical cybersecurity incidents were performed against healthcare organisations in the US [5]. Furthermore, in the light of many reports, such as that of Online Trust Alliance's, 2017 was the "worst year ever" for cybersecurity incidents, while healthcare seems to be one of the most targeted industries by cyberattackers. ...
Conference Paper
Full-text available
The rapid evolution of the Internet of Medical Things (IoMT) introduces the healthcare ecosystem into a new reality consisting of smart medical devices and applications that provide multiple benefits, such as remote medical assistance, timely administration of medication, real-time monitoring, preventive care and health education. However, despite the valuable advantages, this new reality increases the cybersecurity and privacy concerns since vulnerable IoMT devices can access and handle autonomously patients’ data. Furthermore, the continuous evolution of cyberattacks, malware and zero-day vulnerabilities require the development of the appropriate countermeasures. In the light of the aforementioned remarks, in this paper, we present an Intrusion Detection and Prevention System (IDPS), which can protect the healthcare communications that rely on the Hypertext Transfer Protocol (HTTP) and the Modbus/Transmission Control Protocol (TCP). HTTP is commonly adopted by conventional ICT healthcare-related services, such as web-based Electronic Health Record (EHR) applications, while Modbus/TCP is an industrial protocol adopted by IoMT. Although the Machine Learning (ML) and Deep Learning (DL) methods have already demonstrated their efficacy in detecting intrusions, the rarely available intrusion detection datasets (especially in the healthcare sector) complicate their global application. The main contribution of this work lies in the fact that an active learning approach is modelled and adopted in order to re-train dynamically the supervised classifiers behind the proposed IDPS. The evaluation analysis demonstrates the efficiency of this work against HTTP and Modbus/TCP cyberattacks, showing also how the entire accuracy is increased in the various re-training phases.
Article
Full-text available
Background The way science is practiced is changing and forecasting biotechnology crime trends remains a challenge as future misuses become more sophisticated. Methods A parallel Delphi study was conducted to elicit future biotechnology scenarios from two groups of experts. Traditional experts, such as professionals in national security/intelligence, were interviewed. They were asked to forecast emerging crime trends facilitated by biotechnology and what should be done to safeguard against them. Non-traditional experts, such as “biohackers” who experiment with biotechnology in unexpected ways, were also interviewed. The study entailed three rounds to obtain consensus on (i) biotechnology misuse anticipated and (ii) potential prevention strategies expected. Results Traditional and non-traditional experts strongly agreed that misuse is anticipated within the cyber-infrastructure of, for example, medical devices and hospitals, through breaches and corporate espionage. Preventative steps that both groups strongly advocated involved increasing public biosecurity literacy, and funding towards addressing biotechnology security. Both groups agreed that the responsibility for mitigation includes government bodies. Non-traditional experts generated more scenarios and had a greater diversity of views. Discussion A systematic, anonymous and independent interaction with a diverse panel of experts provided meaningful insights for anticipating emerging trends in biotechnology crime. A multi-sector intervention strategy is proposed.
Article
Objectives: Our institution was affected by a multi-institution, systemwide cyberattack that led to a complete shutdown of major patient care, operational, and communication systems. The attack affected our electronic health record (EHR) system, including all department-specific modules, the laboratory information system (LIS), pharmacy, scheduling, billing and coding, imaging software, internet access, and payroll. Downtime for the EHR lasted 25 days, while other systems were nonfunctional for more than 40 days, causing disruptions to patient care and significantly affecting our laboratories. As more institutions transition to network EHR systems, laboratories are increasingly vulnerable to cyberattack. This article focuses on the approaches we developed in the anatomic pathology (AP) laboratory to continue operations, consequences of the prolonged downtime, and strategies for the future. Methods: Our AP laboratory developed manual processes for surgical and cytopathology processing, redeployed staff, and used resources within the department and of nearby facilities to regain and maintain operations. Results: During the downtime, our AP laboratory processed 1,362 surgical pathology and consult cases as well as 299 cytology specimens and outsourced 1,308 surgical pathology and 1,250 cytology cases. Conclusions: Our laboratory successfully transitioned to downtime processes during a 25-day complete network outage. The crisis allowed for innovative approaches in managing resources.
Article
Purpose: The digitization of healthcare for patient safety and efficiency introduced third party networks into closed hospital systems increasing the probability of cyberattacks and their consequences(1). In April 2021, a major vendor of a Radiation Oncology (RO) record and verify system (RVS) suffered a ransomware attack, affecting our department and many others across the United States. This article summarizes our response to the ransomware event including workflows, team member roles, responsibilities, communications and departmental recovery. Methods and materials: The RVS created or housed accurate patient dose records for 6 locations. The immediate response to the ransomware attack was to shut down the system including the ability to treat patients. With the utilization of the hospital EMR and pre-existing interfaces with RVS, the department was able to safely continue patient radiotherapy treatments innovatively utilizing a direct DICOM transfer of patient data to the linear accelerators and implementing paper charting. Human capital costs included communication, outreach, workflow creation, quality assurance and extended clinical hours. Results: No patients were treated in the first 24 hours of the attack. Within 48 hours of the ransomware event, 50% of patients were treated, and within 1 week, 95% of all patients were treated using direct DICOM transfer and paper charts. The RVS was completely unavailable for 2.5 weeks and full functionality was not restored for 4.5 weeks. A phased approach was adopted for re-introduction of patient treatments back into the RVS. Conclusions: Key lessons learned were to have a back-up of essential information, employ 'dry run' emergency training, having consistent parameter requirements across different vendor hardware and software, and having a plan for the recovery effort of restoring normal operations once software is operational. The provided report presents valuable information for the development of cyber-attack preparedness for RO departments.
Research
Full-text available
Malware Attacks affecting organizations
Article
Full-text available
Background: The adoption of healthcare technology is arduous, and it requires planning and implementation time. Healthcare organizations are vulnerable to modern trends and threats because it has not kept up with threats. Objective: The objective of this systematic review is to identify cybersecurity trends, including ransomware, and identify possible solutions by querying academic literature. Methods: The reviewers conducted three separate searches through the CINAHL and PubMed (MEDLINE) and the Nursing and Allied Health Source via ProQuest databases. Using key words with Boolean operators, database filters, and hand screening, we identified 31 articles that met the objective of the review. Results: The analysis of 31 articles showed the healthcare industry lags behind in security. Like other industries, healthcare should clearly define cybersecurity duties, establish clear procedures for upgrading software and handling a data breach, use VLANs and deauthentication and cloud-based computing, and to train their users not to open suspicious code. Conclusions: The healthcare industry is a prime target for medical information theft as it lags behind other leading industries in securing vital data. It is imperative that time and funding is invested in maintaining and ensuring the protection of healthcare technology and the confidentially of patient information from unauthorized access.
Article
Full-text available
This article attempts to investigate the various types of threats that exist in healthcare information systems (HIS). A study has been carried out in one of the government-supported hospitals in Malaysia.The hospital has been equipped with a Total Hospital Information System (THIS). The data collected were from three different departments, namely the Information Technology Department (ITD), the Medical Record Department (MRD), and the X-Ray Department, using in-depth structured interviews. The study identified 22 types of threats according to major threat categories based on ISO/IEC 27002 (ISO 27799:2008). The results show that the most critical threat for the THIS is power failure followed by acts of human error or failure and other technological factors. This research holds significant value in terms of providing a complete taxonomy of threat categories in HIS and also an important component in the risk analysis stage.
Book
Learn how to detect and prevent the hacking of medical equipment at hospitals and healthcare facilities. A cyber-physical attack on building equipment pales in comparison to the damage a determined hacker can do if he/she gains access to a medical-grade network as a medical-grade network controls the diagnostic, treatment, and life support equipment on which lives depend. News reports inform us how hackers strike hospitals with ransomware that prevents staff from accessing patient records or scheduling appointments. Unfortunately, medical equipment also can be hacked and shut down remotely as a form of extortion. Criminal hackers will not ask for a $500 payment to unlock an MRI, PET or CT scan, or X-ray machine—they will ask for much more. Litigation is bound to follow and the resulting punitive awards will drive up hospital insurance costs and healthcare costs in general. This will undoubtedly result in increased regulations for hospitals and higher costs for compliance. Unless hospitals and other healthcare facilities take the steps necessary to secure their medical-grade networks, they will be targeted for cyber-physical attack, possibly with life-threatening consequences. Cybersecurity for Hospitals and Healthcare Facilities is a wake-up call explaining what hackers can do, why hackers would target a hospital, the way hackers research a target, ways hackers can gain access to a medical-grade network (cyber-attack vectors), and ways hackers hope to monetize their cyber-attack. By understanding and detecting the threats, hospital administrators can take action now—before their hospital becomes the next victim. This book shows you how to: • Determine how vulnerable hospital and healthcare building equipment is to cyber-physical attack. • Identify possible ways hackers can hack hospital and healthcare facility equipment. • Recognize the cyber-attack vectors—or paths by which a hacker or cracker can gain access to a computer, a medical-grade network server, or expensive medical equipment in order to deliver a payload or malicious outcome. • Detect and prevent man-in-the-middle or denial-of-service cyber-attacks. • Detect and prevent hacking of the hospital database and hospital web application.
Article
Background: Recent legislation empowering providers to embrace the electronic exchange of health information leaves the healthcare industry increasingly vulnerable to cybercrime. The objective of this systematic review is to identify the biggest threats to healthcare via cybercrime. Objective: The rationale behind this systematic review is to provide a framework for future research by identifying themes and trends of cybercrime in the healthcare industry. Methods: The authors conducted a systematic search through the CINAHL, Academic Search Complete, PubMed, and ScienceDirect databases to gather literature relative to cyber threats in healthcare. All authors reviewed the articles collected and excluded literature that did not focus on the objective. Results: Researchers selected and examined 19 articles for common themes. The most prevalent cyber-criminal activity in healthcare is identity theft through data breach. Other concepts identified are internal threats, external threats, cyber-squatting, and cyberterrorism. Conclusions: The industry has now come to rely heavily on digital technologies, which increase risks such as denial of service and data breaches. Current healthcare cyber-security systems do not rival the capabilities of cyber criminals. Security of information is a costly resource and therefore many HCOs may hesitate to invest what is required to protect sensitive information.
The computer virus that haunted early AIDS researchers
  • K Waddell
Waddell K. The computer virus that haunted early AIDS researchers [Internet].
Hackers hit 320% more healthcare providers in 2016 than in 2015, per HHS data
  • B Siwicki
Siwicki B. Hackers hit 320% more healthcare providers in 2016 than in 2015, per HHS data [Internet].
Russian military was behind 'NotPetya' cyberattack in Ukraine, CIA concludes
  • E Nakashima
Nakashima E. Russian military was behind 'NotPetya' cyberattack in Ukraine, CIA concludes [Internet].
says North Korea 'directly responsible' for WannaCry ransomware attack
  • B Chappell
  • S U S Neuman
Chappell B, Neuman S. U.S. says North Korea 'directly responsible' for WannaCry ransomware attack [Internet]. NPR. NPR; 2017 [cited 2018Nov2]. Available from: https://www.npr.org/sections/thetwoway/2017/12/19/571854614/u-s-says-northkorea-directly-responsible-for-wannacryransomware-attack
Hackers hit dozens of countries exploiting stolen N.S.A. tool
  • N Perlroth
  • D E Sanger
Perlroth N, Sanger DE. Hackers hit dozens of countries exploiting stolen N.S.A. tool [Internet].
Massive ransomware attack hits 99 countries
  • S Larson
Larson S. Massive ransomware attack hits 99 countries [Internet].