HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Mobile Device Ransomware Warnings Becoming More Urgent

A special report on CNBC.com into mobile device ransomware was compiled in the aftermath of the Hollywood Presbyterian Medical Center ransomware cyberattack. The attack crippled the hospital´s internal computer system, shut down its email servers and prevented access to EMRs. The hospital had no option but to pay a $17,000 ransom to obtain the encryption key that would unlock its data and communications system.

Although investigations are still ongoing into how the crippling malware found its way into the hospital´s system, mobile device ransomware has not been ruled out. Indeed, the CNBC.com article starts with cyber security expert Robert Herjavec commenting that 40% of threats come from inside and – knowing this – cybercriminals are taking advantage of mobile device ransomware to launch more sophisticated cyberattacks.

Not the First Ransomware Attack on a Medical Facility

Ransomware – a type of computer malware – is an effective weapon for cybercriminals. Traditionally it has been used to encrypt files on a computer to make them inaccessible, and normally finds its way into a computer network via a downloaded Trojan that has been disguised as a legitimate file, or via bogus advertising links that take visitors to a website that can detect vulnerabilities in browser plugins. More recently, says Herjavec, mobile device ransomware has become more prolific.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Ransomware has been used before to attack medical facilities. In 2012, access to the medical records of 7,000 patients at the Surgeons of Lake County was blocked by ransomware, while two years later Clay County Hospital in Illinois was also subject to a ransomware attack – this time affecting the records of 12,621 patients. Details of how the ransomware infected the two computers systems have not been released – nor how much ransom the two medical facilities had to pay to recover their files.

Ransomware: Potentially A Matter of Life and Death

According to cybersecurity expert Lillian Albon medical facilities make good targets for ransomware attacks because they rarely have the IT security resources available to larger organizations. Hussein Syed – Chief Information Security Officer for Barnabas Health – added that computer system in the healthcare industry have to be kept running at all times because of patient care issues. “In some cases” Syed said, “it is a matter of life and death”.

In the compilation of the CNBC.com report, author Bob Woods spoke with Kevin Haley, a Director at Symantec Security Response. Haley was adamant that cybercriminals are expanding their attacks beyond desktop computers to include mobile device ransomware. Haley claimed that almost any device that has an operating system and “potentially anything connected to the Internet” can be used to launch a ransomware attack.

Security Issues for Healthcare Organizations with Unsecure BYOD Policies

Mobile device ransomware creates all kinds of security issues for healthcare organizations with unsecure BYOD policies. Not only has it been forecast that ransomware attacks will increase over the next year, but also proven that malware on a mobile device can infect a computer network via an organization´s Wi-Fi router.

At the conclusion of the CNBC.com article, Dmitriy Ayrapetov – Director of product management at Dell SonicWALL – predicted that security measures could be in place to prevent mobile device ransomware attacks within two years. Until then, unless healthcare organizations take steps to secure their communication systems, it may only be a question of time until ransomware attacks – such as that which crippled the Hollywood Presbyterian Medical Center – appear on the news daily.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.