HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Beware of Medical Device Ransomware in 2016 Warns Forrester Research

The spate of data breaches suffered by HIPAA-covered entities is set to continue in 2016 according to predictions by security experts. Malware and phishing attacks on healthcare providers are likely to continue to be used to obtain PHI from healthcare providers this year.

While phishing and social engineering was used to gain access to data last year (Anthem, Premera), ransomware attacks have not plagued the healthcare industry, even though the use of the malicious software has grown. Hackers have preferred attacking healthcare providers for the data they hold rather than locking computers and demanding a ransom. Far greater rewards can be gained from obtaining millions of healthcare records than from locking a handful of computers.

However, that does not mean that ransomware is not a problem, in fact, research and advisory company Forrester Research has predicted that ransomware attacks are going to be more of a problem in 2016, and the company believes that medical devices and wearables will be targeted.

If the prediction turns out to be true, medical devices could be attacked and have their functionality disabled, leaving little alternative but to pay a ransom in order to get the devices unlocked.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Cybercriminals use of ransomware has increased over the course of the past two years. Once installed, the malware locks files and data with powerful encryption. The victims have a choice. Pay a ransom and be supplied with a security key to decrypt the files, or have the files deleted. Last year, CryptoWall ransomware was used to lock over 600,000 computers and earned the criminals behind the campaigns well over $1 million in ransoms.

Ransoms are demanded in Bitcoin making it next to impossible to trace the funds and catch the criminals behind the campaigns. Conservative estimates indicate over 5 billion files have been locked and held hostage to date.

At present the current crop of ransomware is not designed to attack anything other than devices running on Windows, and while it is possible from a technical standpoint for medical devices to be attacked by ransomware, criminals have yet to conduct this type of attack. With small modifications to the malware attacks would be possible.

The FDA issued a warning about drug pump vulnerabilities last summer and security vulnerabilities in medical devices are now being investigated. The FDA is concerned. It has already issued cybersecurity guidance and has recommended manufacturers of medical devices “establish a cybersecurity vulnerability and management approach as part of the software validation and risk analysis.”

It is hoped that this is one 2016 cybersecurity prediction that will not turn out to come true, but what is certain is greater efforts need to be made by medical device manufacturers to make their devices more secure. Security vulnerabilities must be evaluated and addressed before hackers take advantage.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.