Editor’s Note: Dean Wiech is the Managing Director of Tools4ever, a global provider of access management and governance solutions.
Healthcare is simply in the crosshairs of some really nefarious people. You’d have to be living under a rock to have missed the comments on everything that has been happening in the sector. The daily headlines include such news as “Hospital declares State of Emergency after ransomware infection”; “Hospital pays ransom to get data back”; “Dangerous escalation in ransomware attacks”; and even more salacious titles that mean healthcare IT systems are under attack.
Specifically, healthcare is seeing more than its share of ransomware issues. These issues affect networks, data, files and applications that an organization uses to function. The attacks are designed to block internal and external access to systems and even encrypt data so that it is unusable. Healthcare ransomware attacks are up dramatically even from last year (some say 1,000 percent or more) across the last five years and the ransom amounts range from a couple of hundred dollars to tens of thousands and these amounts are on the rise.
With ransomware, money is not always the endgame; we have to take into account patient safety and potential fines that require health systems to examine security and access protocols, and, likewise, make the required investments to prevent ransomware attacks. Is this an overblown issue? Of course not. “One of the biggest current threats to health information privacy is the serious compromise of the integrity and availability of data caused by malicious cyberattacks on electronic health information systems, such as through ransomware,” said Jocelyn Samuels, the Department of Health and Human Services director of the Office of Civil Rights.
When the ransom is paid, the information thieves “promise” to provide digital keys that is supposed to release the captured information (usually through the decrypting of the data) so the business can resume operations. The latest threats even go so far as to utilize 2048-bit encryption. But, just because a ransom is paid, there’s no guarantee that you’ll get your files or data back. According to a recent report from security publication Dark Reading, a new “ranscam” malware has been discovered by Cisco. The malware is a low-tech, but highly destructive attack that demands ransom from its victims but never returns the files because instead the ransomware actually just deleted them.
One of the primary reasons for the rise in ransomware and the move away from thieves trying to monetize stolen medical records that contain rich personal health information is that the information can be sold for high value, of course. But thieves have discovered that the bulk of the money comes attacking the data of health systems that tend to pay much quicker than individuals might. To keep their businesses operating, health systems have shown that they are willing to pay the “fees” required. However, the more hospitals that pay these ransoms, the more attacks there will continue to be. At this point, there have been several hospitals that have decided to pay the ransoms, fueling much vitriol among those in the sector who essentially begged these systems to reconsider doing so.
Separately, a recent KPMG report shows that the biggest cyber security concerns for healthcare providers and payers are from external sources, naming external attackers and third-parties as the top vulnerabilities. Finally, according to a recent report released by the Health Information Trust Alliance, of more than 30 mid-sized U.S. hospitals in 2015, more than 50 percent of them were infected with malicious software, which can lead to absconded data.
With the increasing threat to organizations each passing day, IT leaders must ask what their organization can do to protect against these kind of breaches. There’s little more that needs to be said about having protocols for backing up everything in an organization’s network. Doing so means that data can be easily backed up and re-instated should an attack ever occur. This, specifically, means that organization systems can be wiped and restored at the point before the infection occurred. While you may lose a day or so of data, it is much easier to replicate that than if you lost days or weeks of data. It is also important to note, some ransomware tries to encrypt everything, including local backups, so offline backups are key to recovery.
Another obvious piece to increasing the stability of an organization is end user education. Employees should be guided to never ever click on emails – seriously never — from unknown senders; from people you know who might seem suspicious; emails featuring messages asking the receiver to complete surveys from companies they don’t know; or open shipping documents from delivery companies if they have not ordered anything. Additionally, and quite importantly, employees should be required to change their passwords regularly, especially true for users with network administrative privileges because the attacks often use the same rights as the user.
Much has been said about two-factor authentication (2FA) to assist in prevention of ransomware attacks. While assisting with some of the newer variants of ransomware that are designed to gain access through remote desktop sessions; two-factor authorization is effective for this strategy because password breaches are no longer sufficient to gain access. Here’s why it’s effective: a one-time use PIN code as a second factor needs to be entered concurrent with the password. While hackers may, in some cases, be able to intercept these PIN codes delivered via SMS, adding a physical employee access badge or token maybe warranted for those with administrative privileges.
Finally, additional layers of security is key to minimizing ransomware infections. A thorough, up-to-date antivirus and malware solution with firewall security are all good practice to minimizing risk.
Inevitably and foreseeably, hackers will continue to exploit any and all means at their disposal to try and wreak havoc on companies, users and networks. Health systems must prepare for the threats in as many ways as possible before an attack or make sure they’ve got a little extra coin laying around to pay the ransom.
