Ransomware onslaught shines spotlight on patient data privacy shortcomings

In recent weeks, multiple industries have experienced the devastating consequences of ransomware attacks. A May ransomware attack on Colonial Pipeline — one of the largest pipeline operators in the U.S. — triggered widespread shortages of gas and jet fuel. In June, the world’s largest meat processor shut down nine American plants after being hit.

These organizations and others that provide essential public services or infrastructure are increasingly prevalent targets for ransomware attacks, in which system access is blocked, held hostage, and restored in exchange for a ransom. The reason bad actors target businesses at the heart of American life is simple: entities are more tempted to pay huge sums of money when the stakes are high.

“Pharmaceuticals, hospitals, healthcare, public companies, organizations that don’t have the talent and skills to defend themselves — they’re getting sucker punched,” said Kevin Mandia, CEO of cybersecurity firm FireEye, at a Wall Street Journal cybersecurity conference.

Healthcare’s weak spot
In healthcare, where immediate, uninterrupted availability of patient data is critical to the delivery of quality care, ransomware attacks put organizations between a rock and a hard place: they can either reward and encourage criminals by paying the ransom, or allow care quality to hang in the balance as limited internal staff works to regain system access. Hospitals and health systems that choose the latter — resisting the ransom — could be locked out of their EHRs for weeks. Because EHRs play a central function in determining a patient’s course of treatment, coordinating care, and ensuring adherence to treatment regimens, blocked access can be devastating from a quality standpoint.

However, the damage of health data hostage situations can extend far beyond point-of-care issues. Patient records contain immutable, highly sensitive information that can be used to commit identity theft and other kinds of fraud long after it’s first breached. Thus, it’s not hard to grasp why compared to other industries, organizations in healthcare are among the most likely to consider paying a ransom to restore data access in the event of an attack,…