High-profile ransomware attacks have plagued hospitals during the first half of 2016, forcing operators into damage control mode as IT teams scramble to beef up their security strategies. According to the FBI’s Internet Crime Complaint Center (IC3), the number of ransomware complaints across all industries increased from 1,402 in 2014 to 2,453 in 2015 and resulted in $1.6 million in losses. Those numbers don’t include unreported incidents, which push the total cost in 2015 to $24 million, according to estimates from Kaspersky Lab, a prominent cybersecurity firm. In fact, Kaspersky Lab has referred to the current state of ransomware as an epidemic.
Ransomware is a form of malware that blocks access to data and applications, locks down devices, or encrypts data in a way that renders it useless. Cybercriminals then demand a ransom to restore, unlock or decrypt the data. Ransomware is typically distributed through various types of email phishing scams, which can target thousands of users (blanket attacks), focus on specific groups such as cardiologists or radiologists (spear phishing), or zero in on the big fish – senior executives (whaling). When users click links or open attachments, the device becomes infected and the malware quickly spreads. Ransomware can also be automatically downloaded when users visit compromised or malicious websites.
Cybercriminals are targeting hospitals not only because of the high value of private patient data, but because ransomware can disrupt hospital operations and affect patient safety. Under pressure to restore data and avoid compliance violations, several hospitals victimized this year have paid the ransom. In some cases, however, the payoff only emboldened the attackers, who refused to restore or unlock data and instead demanded additional payments.
There are a number of steps that hospitals can take in terms of people, processes and technology to reduce the risk of ransomware attacks. First, all employees must be educated about the detection of potential threats, best practices for downloading software and sharing data, and responsible use of email and social media. This requires a formal, written policy, ongoing training, and simulated attacks that assess user preparedness. Hospitals also need a documented procedure for reporting suspicious activity and an incident response plan that details how the organization will respond to attack. Together, these efforts create a culture in which cybersecurity is a shared responsibility from top to bottom.
From a technology standpoint, all data should be continuously backed up to an offline site or system that cannot be reached by ransomware. This won’t prevent an attack, but it can help minimize data loss. Strict access controls must be implemented to limit network access to authorized users. Application security, which involves the coordinated use of hardware, software and processes to protect critical applications, should be emphasized to prevent exposure of data within those applications. Network-connected medical devices, sensors and other equipment must be secured and monitored and any infected systems quarantined. All of these tactics must be woven into HIPAA compliance strategies to protect personal health information while guarding against cyberattack.
Ransomware is a growing threat to hospitals that is likely to get worse before it gets better. Healthcare organizations need to understand these threats and invest in comprehensive security strategies, systems and training to both prevent attacks and manage the inevitable breach. The healthcare industry, by and large, is behind the government and financial sectors in terms of cybersecurity. It’s time to strengthen your defenses.
by John Flores