Issue link: https://beckershealthcare.uberflip.com/i/665044
90 HEALTH IT What Hospitals Can Learn from Hollywood Presbyterian's Ransomware Run-in By Max Green G one are the days of ransomers taking on major risk to score an enormous payoff. Modern crooks can sit in front of computer screens, content in knowing that their exploits stand to net them huge sums of money with essentially no downside should they fail, exemplified by whoever brought Hollywood (Calif.) Presbyterian Medical Center's IT systems to a grinding halt Feb. 5 and cleaned up with a cool $17,000 for their work. It sounds like a pretty good business, says Mike Overly, a Los Angeles-based lawyer with Foley & Lardner who specializes in information security. "You can walk into a bank and hold it up, or you can send out thou- sands and thousands of these ransomware attacks at no cost whatso- ever and essentially zero risk," Mr. Overly says. "And you've got the ability to demand untraceable revenue — bitcoins." Ransomware isn't a new concept, according to Mr. Overly. e prac- tice started to become somewhat prevalent in other industries, even historically well-protected sectors like finance, about 18 or 24 months ago, although it has existed for some time. Hundreds of millions of dollars per year are forked over to hackers, and many businesses are at the point where they factor ransom money into their costs. "Combine that with the fact that there is almost zero likelihood of being caught, the technology requires no skills to use, and you have a perfect opportunity for organized criminals to use this as an incredible revenue mechanism," Mr. Overly says. Healthcare has managed to remain mostly on the fringes of those hit hard by the attacks, until now. And there's a good reason why. Healthcare workers are generally a bit better prepared than staff in other industries, trained with confidentiality in mind. e same goes for healthcare IT systems themselves, which are usually a bit more secure for privacy purposes, Mr. Overly says. But those defenses are far from enough. "You could probably pick the most sophisticated healthcare organiza- tion in the world and show up there tomorrow, walk into the cafeteria and lay a USB drive labeled 'radiology' on a table," Mr. Overly say. "I'd be willing to bet that by 5 o'clock that day, someone would have plugged that drive into a computer to see what it contained, and that would be it. ey would be doing all the work for me, I could just leave it there and they would infect their own systems." So what's the answer for hospitals increasingly targeted in these costly attacks? Doubling down on personnel training and education is a good place to start. Investing in increased security measures is also ideal, but for Hollywood Presbyterian and Mount Pleasant, Texas-based Titus Regional Medical Center, which suffered a ransomware attack in January, the source of the problem was very likely user error, according to Mr. Overly. "is is one of the reasons why we do a lot of training for healthcare organizations in particular to better educate their personnel on taking personal responsibility," Mr. Overly says. "One of the things we've found is it's very important for employees to understand information security both at work and at home. Studies show that getting better security awareness at home carries over into the workplace. We see many organizations developing personal information security rules and guidelines for employees that address best practices both at work and at home." Although Hollywood Presbyterian's ransom was publicized as $3.6 million, the hospital only paid $17,000 to regain access to its medical records and IT systems, a sum that many would view as reasonable for a large organization. But there's a real danger to chalking that payout up to the cost of doing business. "ese are just going to get worse, not better. Demands are going to get higher, not lower," Mr. Overly says. "Yes, in this case they were able to settle it for a reasonable amount, but we're not going to see that continue. Hollywood Presbyterian is not the first nor will it be the last. e trend is upward, not downward." n IBM to Acquire Truven Health Analytics for $2.6B By Akanksha Jayanthi I BM Watson Health plans to acquire Truven Health An- alytics for $2.6 billion, a deal which upon completion will aggregate health-related data of approximately 300 million patient lives. Truven Health Analytics provides cloud-based health- care data, analytics and insights for more than 8,500 clients, including U.S. federal and state government agencies, employers, health plans, hospitals, clinicians and life science companies. The acquisition is IBM Watson's fourth health-related agreement since the Watson Health unit was launched in April 2015. Additionally, more than 5,000 Truven employees will join the IBM business unit, including clinicians, epidemiolo- gists, statisticians and more. "With this acquisition, IBM will be one of the world's leading health data, analytics and insights companies, and the only one that can deliver the unique cognitive capabilities of the Watson platform," said Deborah DiSanzo, general manager for Watson Health. "Truven's impressive team, extensive client roster and expansive data sets complement Watson Health's broad- based team, capabilities and offerings. Together, we're well positioned to scale globally and to build first-in- class offerings designed to help our clients apply cogni- tive insights in a value-based care environment." The acquisition is expected to close later this year. n