Law professor: Ransomware hitting 'critical mass;' healthcare orgs must prepare

From coast to coast, U.S. hospitals are falling victim to ransomware, with some coming away unscathed and others ultimately paying the price requested. This type of attack will not slow down anytime soon, law professor Shaun Jamison, J.D., Ph.D., tells FierceHealthIT, and as the problem hits critical mass, organizations must be prepared.

"You have to look at what your IT folks are saying" during a ransomware event, Jamison, who teaches at Concord Law School of Kaplan University, says. "Can you overcome it without paying? What are the next steps?"

What those next steps will consist of, he says, must be well documented. Hospitals and health systems have to know where to turn when an attack occurs, who they will notify and what the response will be.

In addition, Jamison says, the plan and the tree of people who must be notified of an attack should be on paper. "If you're attacked and don't have access to computer systems or email, how will you get access to all that information?" he says.

In recent cases the industry has seen, some hospitals have been able to limit the attacks, while one--Hollywood Presbyterian--paid the ransom to regain access to its systems.

In the instance where a hospital or health system has to pay the ransom, Jamison says often the amount is not a big hit to a large organization; paying is looked at in relation to the damage that could be done if the ransom is not offered.

Hollywood Presbyterian paid its attackers $17,000, or 40 bitcoins, after access to the electronic health record and email was blocked for more than a week.

However, paying also could set a precedent, Jamison says. "When you pay, it's about the fact that these actors might attack you again or attack others. You don't want to encourage further attacks unless there is no other course of action available."

If malicious actors "see success, they're going to continue, and they're going to get excited and hit it hard while there's still an opportunity. Until organizations ramp up their defense against this, we're going to see more attacks," he says.

Other attacks seen this year include Ottawa Hospital in Canada and the LA Department of Health. An attack that began March 28 on MedStar Health mirrors a ransomware attack, but the health system has not confirmed the nature of that incident.

Rep. Ted Lieu (R-Calif.) recently said he was considering drafting legislation to require healthcare organizations notify patients when a ransomware attack had occurred. Jamison says while such efforts would help get everyone on the same page about notification and would prevent an honest organization that did release information from being singled out, it might be better if industry insiders were the ones to set such standards.

Groups "like the [American Hospital Association] could create rules that they agreed to and that members agree to as far as notification goes," he says. "With government regulation, I worry a little bit, because they try to have it be one-size-fits-all."

Regardless, Jamison says, "disclosure is better than non-disclosure, because more times than not [word of the attack] will get out and then an organization is unable to control the message."

He adds that if there is a silver lining in all of this, it's that the attacks will make it easier for health IT execs to obtain funding for full, robust cybersecurity.

"There's no question this is a serious issue at this point," Jamison says. "I think we'll see commitment in healthcare to address this. It's hit critical mass; it's on everyone's mind, it's on the news, it's everywhere."