“Over half the people we polled indicated that they had some sort of ransomware attack,” said Brendan FitzGerald, HIMSS Analytics Research Director for Advisory Solutions.
What’s more, another 25 percent are either unsure or have no way of knowing whether ransomware attacks were perpetrated against them or not.
Taken together, that means approximately 75 percent of responding healthcare entities either were or could potentially have been targeted with a ransomware attack.
While numerous, very few ransomware attacks have been successful to date — which explains why only a handful catch the public’s attention.
Some 50 percent of respondents, in fact, said they are unsure or have no way of knowing if they managed to find such attacks.
How ready are hospitals for a ransomware attack, should it succeed and their data or systems be encrypted?
“Seventy three percent of the health systems we surveyed have a business continuity plan in place, so if something happens they are prepared to address it,” FitzGerald said.
Of the remaining 26 percent, only 3 percent answered that they are unsure, while 23 percent said they do not have a business continuity plan in place should a ransomware attack occur.
“When asked if they would pay the ransom, almost half said they are unsure," FitzGerald said. "That calls into question how solid those plans really are when dealing with ransomware.”
The reality is that many hospital executives cannot easily know up-front whether they will pay or not.
That decision will be determined by various factors, including the scale of the attack, when it was detected, how quickly the business continuity plan kicked in, how widespread the encryption is, and when exactly the last data back-up occurred.
“Some organizations back up data daily. But when you’re talking about an entire health system, there’s no guarantee that the data will get backed up every single day,” FitzGerald said. “Even daily backups can be hit or miss in terms of what kind of data is included, be that lab results, images, or other types.”
“There has been a lot of industry literature around whether or not to pay the ransom, most of it recommending not to,” FitzGerald said. “I think as a last resort there’s that potential to pay a ransom.”
Meaning choosing whether or not to pay the ransom is most likely going to be a game day decision.
To avoid being in that position in the first place, FitzGerald recommended that healthcare executives concentrate on educating end-users above all else because prepared employees, even more than whiz-bang security tools or more frequent back-ups, will be the biggest deterrent to hackers getting in.