Health-Care Extortion Goes Digital


Imagine if someone hacked into your computer, stole all of your family photos, and demanded $500,000 to return them. Replace “family photos” with “medical records,” and you’ve got a picture of cyber health-care extortion, a growing threat that’s keeping medical professionals up at night.

Cyber extortion comes in many flavors, including ransomware attacks, in which hackers block access to medical records until a hospital or provider pays them a hefty sum. Other schemes include denial of service and distributed denial of service attacks, which flood computer systems with messages, eventually shutting them down. The hackers then demand a payment to stop the attack and restore the computer systems.

Cyber extortion can also go well beyond financial demands. “Beyond the threat of crippling financial demands from a hacker, there’s the terrifying prospect of denial of service attacks on certain medical devices that could interfere with a facility’s clinical capabilities and disrupt treatment,” Jeremy D. Sherer, a health-care attorney with Hooper, Lundy & Bookman PC in Boston, told me.

Sherer said the training and education are essential in preventing cyber extortion attacks. Employees should be taught to identify irregular e-mails that hackers could use to access a hospital computer system, Sherer said.

“Running drills that involve sending fake, suspicious-looking e-mails to employees is one tool that facilities can use to see just how effective their training programs really are, and alert them to which employees may need extra training,” Sherer said.

A recent government update said cyber extortion schemes are a major source of disruption for health-care organizations, and the past year has witnessed the worldwide Petya and WannaCry attacks, which hit pharmaceutical manufacturers and hospitals, in addition to other businesses.

Read my full story here.

Stay on top of new developments in health law and regulation, and learn more, by signing up for a free trial to Bloomberg Law.