Yahoo!7 News Australia just published a noteworthy article: "Cyber attacks: pharmacies, patient records targeted 'ransomware' attacks" (17-Jan-2014), highlighting a worrisome trend of using Ransomware to specifically attack medical institutions, encrypt critical data (pharmacy records in this case) in place and demand a ransom in exchange for the encryption key.
Although we have seen these types of attacks before (Express Script, 2008; Virginia Health Professions Database, 2009; or Surgeons of Lake County, 2012), these recently reported attacks are raising the bar for a number of reasons: 10 reported cases in an 18 months period, all focused on a specific industry and geography, presumably enabled by the wide availability of very mature Ransomware tools and especially through the spread of the Cryptolocker Trojan since 2013.
Unlike previous targeted attacks on healthcare institutions, which were mainly driven by the motivation to steal patient demographic and financial data, this type of an attack has immediate operational impact and puts patients' safety at risk. As reported from Australia: "If that happened they can't ensure the safety of patients in terms of previous medications et cetera," with the Pharmacy Board of Australia issuing a formal warning and comparing the latest attacks to "financial terrorism".
Losing your EHR database or other critical system to a Ransonware attack prevents clinicians from accessing clinical information, like patient history or lab results, and prevents them from providing care; or in case of an emergency, prevents the care team from having access to the complete medical picture, leading to potentially compromised decision making.
Cyber attacks on healthcare institutions are not new, and malware outbreaks (targeted or general, unintentional) are only too common. Unfortunately, many healthcare providers have a weak security posture and their ability to prevent, detect, or quickly and efficiently respond to an attack may be limited. I am afraid that this new attack paradigm, targeted encryption of critical health data, puts healthcare institutions square into the cross hair of a new and highly sophisticated threat.