More that 40% of health care organizations have experienced a cyber attack involving the “WannaCry” ransomware cryptoworm within the past six months, according to a report by the cyber security firm Armis.
Health care organizations, including hospices, continue to be the preferred target of cyber criminals who can glean patient names, insurance information, financial information, addresses, social security numbers and other data that hackers can use for identity theft or other fraudulent activity.
“Health care, manufacturing and retail sectors have high rates of old operating systems in their networks,” the report indicated. “By 2020, Windows 7 will reach its end-of-life, and join many of the earlier Windows versions that do not receive any security updates. It is not a coincidence that these sectors are also the ones affected the most by ransomware like WannaCry, which rely on unpatched devices for their successful operation.”
The ransomware first appeared in 2017 and in its the first few days infected more than 300,000 devices. Wannacry encrypts the device owner’s data and displays a ransom demand to be paid in bitcoin. Numerous businesses ceased operating for days or weeks, with some estimates putting the total cost of the 2017 attacks at $4 billion, including $325 million in paid ransom money, according to the report.
The ransomware continues to be a significant threat. Nearly 30% of all third quarter 2018 ransomware attacks involved WannaCry, Armis reported. The mechanism that allows WannaCry to encrypt a health care organization’s data also leaves devices vulnerable to other forms of ransomware and cyber crime.
“Microsoft issued patches for the vulnerability once it was made public, most organizations did not deploy these, leaving affected devices defenseless against WannaCry outbreaks,” the Armis report indicated. “Patching can be difficult and time-consuming, and in some cases, it could even require rebuilding entire systems. But doing so is absolutely necessary.”
A number of hospices have experienced serious data breaches in recent years. Though the number that were hit by WannaCry is unknown, clear vulnerabilities exist in many hospice systems, which may use older software platforms or operating systems.
Maryland-based Frederick Regional Health System in March sent letters to their hospice patients informing them of a phishing attack that accessed patients’ protected health information, according to media reports. A similar incident took place in April involving Bend, Ore., hospice provider Partners in Care. In May 2018, CarePartners Hospice and Palliative Care notified patients of a data security incident that compromised patients’ personal and protected health information, also pertaining to email.