While the Obama administration attempted to modernize the healthcare industry by paying doctors and hospitals to convert to electronic records, they did not predict this $35 billion investment would only create chaos among the industry. This incentive program quickly caught the attention of cybercriminals once they realized they could make a fortune by freezing files in hospitals’ networks and computer systems and demanding a ransom in return. Unlike other industries, this creates life or death scenarios instead of solely monetary losses, which only increases the likelihood that the ransoms be paid. David Brailer, chief of health IT in the second Bush administration explained that while the incentive program “thrust tens of thousands of health care providers into the digital age before they were ready, one area where they were woefully unprepared is security. It created thousands of vulnerabilities in hospitals and practices that lack the budget, staff or access to technical skills to deal with them.” Now, hospitals are left asking for more money and resources to boost security while Congress lacks the budget to provide the necessary additional funding.
This concern is not going unnoticed. The Whitehouse and SC Senator Lindsay Graham recently proposed increased punishments on cybercriminals if their attacks result in deaths or injuries. Although, this raises the question of who is going to be held responsible if the cybercriminal cannot be found. Further, the FDA and Office for Civil Rights use penalties and guidance documents to drive healthcare providers and device makers to practice better “cyber hygiene.” However, “If you aren’t following good practices, the regulatory environment isn’t going to save you,” says Rep. Will Hurd (R-Texas), leader of the House Oversight cybersecurity subcommittee. While government agencies can increase the sharing of threat intelligence, “healthcare has to help itself.” The types and number of cyber attacks on the healthcare industry is increasing exponentially. In fact, just this week a Kansas hospital was left with no choice but to pay the ransom to unblock frozen records. Additionally, a small Kentucky hospital experienced 3,500 attempted attacks on Mother’s Day, according to Leslie Krigstein, VP of the CHIME. Unfortunately, it seems that this $35 billion investment has only left the healthcare industry with more problems and a need for more funding and resources.