Hancock Regional Hospital in Greenfield, Indiana, where Steve Long is the hospital administrator, was hit by a cyberattack earlier this year. Long, in attempts to make sure his patients were safe, paid the hackers four Bitcoin in ransom for the return of the hospital’s stolen information. Now, Long spends a lot of his free time traveling the country speaking with others in the healthcare industry, in the hopes that education will help prevent them from becoming victims of similar attacks, which are on the rise.
Cyberattack: Hancock Regional Hospital
According to an interview with CNBC, the cyberattack against Long’s hospital was made possible because the criminals had obtained the login credentials of a vendor that provides hardware for one of its information systems, enabling the group to inject malware and encrypt the hospital’s data.
To identify the cause and scope of the attack and eradicate the threat, Long and his team recruited Indianapolis-based cybersecurity firm Pondurance. Pondurance co-founder Ron Pelletier said the first priority was to contain the intrusion and evaluate what was affected.
Together with the FBI, which was called in to help pinpoint the origin of the attack, Pondurance experts determined that there was no easy way to erase the encrypted data from Hancock’s system and replace it with clean data from the backup system.
Because of this fact, Long — who also took into consideration January’s flu outbreak and a snowstorm that had hit Indiana the day of the attack — made the executive decision to buy the decryption keys from the hackers. This was made possible by the transfer four Bitcoin, which was selling above $13,500 that day, bringing the total Hancock Regional Hospital paid to about $55,000.
“Criminal organizations now are treating this like a business,” Pelletier said. “They’re going to plan, they’re going to make sure they understand how they’re going to execute and then they’re going to set out and see where they can execute.”
Heathcare and Computer Security Incidents
According to data from Chubb, the world’s largest publicly traded property and casualty insurer, over the past decade the healthcare field has had far more computer security incidents than any other industry, accounting for 38% of incidents, versus 16% for professional services, and 11% for retail. There’s a solid reason why: Chubb said that personal health information is approximately 10 times more valuable on the black market than data a hacker could obtain from a retailer.
Unlike personal identifying information —which might include a name, email address, and credit card numbers or a Social Security number — healthcare-related information offers a wealth of additional data, including medical records. Health insurance ID numbers may also be tied to driver’s license numbers or financial information, Chubb experts told CNBC.
The biggest problem with the theft of this sort of information is that it can’t be immediately fixed. Consumers can shut down credit cards after cyber attacks, but can’t cancel a Social Security number or change a birth date. As a result, hackers can harvest patient data and hold it for “a larger score down the road,” using it for years to open illicit bank accounts or steal additional information, said Chubb’s Mike Tanenbaum.
The increasing hacks in healthcare come at a time when U.S. companies have fallen under scrutiny for how they manage consumer data, raising questions about how personal information should be used and protected. Last week, athletic retailer Under Armour told customers that its MyFitnessPal app was compromised, jeopardizing data from approximately 150 million users.
And we can’t forget Facebook: the social media giant recently came under fire over its privacy practices in the wake of revelations that Cambridge Analytica improperly gained access to data from some 87 million user profiles, which is used to target political ads and influence the 2016 U.S. Presidential election.
Image Courtesy of Shutterstock