MAINE, USA — A virtual era during the pandemic has shed more light on some issues, including cybersecurity. Ransomware attacks nationwide have some Mainers wondering what is being done to protect their information. In places like health care environments, the threat is very real, since criminals are learning to adapt -- and experts don't expect they'll be going away any time soon.
Christie Polley is the chief information security officer for Northern Light Health. She says criminals are no longer looking to attack end-point security, like the borders of a network. Instead, they tend to resort to phishing attacks (much more "personal", Polley says), which account for about 90 percent of breaches overall.
Polley says as a whole, ransomware attacks are up about 400 percent nationwide compared to 2019 and up about 102 percent from the beginning of 2020.
Polley says hospitals can be especially vulnerable to attacks because patients' lives and information are at stake. Typically, criminals try to access entire medical records, which contain all-encompassing information, like a person's social security number, date of birth, address, and medical history. These records can be sold on the dark web for between 200 and 500 dollars, while financial records usually only for 14 dollars.
When it comes to larger investments in a hospital setting, there's also less room for errors.
"(If) you spend millions of dollars on a medical device, you can't just change that medical device out and put something else in. You want to make sure that when you're buying a medical device, (you're) making sure it has the right operating systems; it has a secure method -- all of those things," Polley explained. "You can't just rip out a million-dollar medical device, so we're not as agile as some of the other industries, which makes us more vulnerable."
Polley advocates for layered approaches to security.
"You can think of it as having your most critical information sitting in the basement of a castle, let's say," Polley compared. "In order to get that information, you have to go through guards to get on the access road, and then you have to go through a moat, and then you have to go through a drawbridge, and then you have to go through concrete walls and locked doors and all of that."
NEWS CENTER Maine reached out to Maine Medical Center for comment and received a statement in response, saying, "We take our patients’ privacy and the security of our systems seriously and employ the best available security protocols. The threat of ransomware within healthcare environments is very real, and we continue to take all available measures to protect our organization."
Polley says it's important for hospitals to educate their workforce since users are often unintentionally the "weakest link" to security. She says it's essential for employees at any health care facility to understand that hackers can get personal information from everywhere, including social media. If a ransomware attack happens and the IT system shuts down, patients' health can be put at risk.