Guest post by Stu Sjouwerman, founder and CEO, KnowBe4.
A story about hospital ransomware or a compromised computer seems to emerge weekly. It is no surprise that healthcare breaches have been on a steady increase for the past five years. Loss of personal health information (PHI) poses a financial risk for health care institutions, expected to cost the industry in the neighborhood of 6.2 billion dollars.
By the numbers
Despite the prevalence of cybersecurity incidents, a study by Ponemon Institute in May 2016 showed that the majority of healthcare organizations and business associates were most concerned with negligent or careless employees causing healthcare data breaches.
Sixty-nine percent of healthcare organizations believe they are more vulnerable to a data breach than other industries.
When asked what the greatest threat was to healthcare data security, the majority of healthcare organizations stated employee inaction or error (69 percent). Rounding out the top three concerns were cybercriminals at 45 percent and the use of insecure mobile devices at 36 percent.
Employee error was also the top concern for business associates (53 percent), followed by use of cloud services (46 percent) and cyberattacks (36 percent).
Ransomware is currently one of the most prevalent threats to Healthcare. A June survey done by KnowBe4 of Healthcare IT professionals shows 44 percent of healthcare organizations have been hit with ransomware, 6 percent above the national average of 38 percent. 65 percent of these IT professionals know someone personally who has been hit and another 47 percent would pay the ransom if faced with a scenario of failed backups. With some healthcare ransomware demanding five figures, this can get pretty expensive.
Why hospitals are the perfect targets
I was interviewed by WIRED magazine’s Kim Zetter. She’s written a great article that analyzes why hospitals are perfect targets for ransomware. She started out with: “Ransomware has been an internet scourge for more than a decade, but only recently has it made mainstream media headlines. That’s primarily due to a new trend in ransomware attacks: the targeting of hospitals and other healthcare facilities.”
Now, Who Else Should Be Scared?
Hospitals have shown themselves to be soft targets and are under full attack by several cybercrime gangs using different attack vectors. The SamSam ransom gang attacks server vulnerabilities in JBoss apps using an open source pentesting tool called JexBoss, so these are targeted attacks are based on scans the bad guys did. Cisco technical background:http://blog.talosintel.com/2016/03/samsam-ransomware.html
That is an exception though; the vast majority of ransomware infections are caused by phishing emails. Next are malicious links and ads leading to compromised websites with Exploit Kits causing drive-by-infections.
Guest post by Justin Sotomayor, pharmacy informatics director, CompleteRx.
The field of health informatics has grown exponentially over the past 50 years. From Robert Ledley’s work paving the way for the use of electronic digital computers in biology and medicine in the 1950s, to the founding of the American Medical Informatics Association in the 1990s, to the launch of the Medicare/Medicaid Electronic Health Record Incentive Program in the 2000s, it continues to mark new milestones at an astounding pace, presenting both challenges and opportunities for the healthcare industry.
Three trends – in particular – will have a marked impact on patients and practitioners, and are certain to define health informatics in the near future, if not for years to come.
The end of Meaningful Use
In 2009, with the passing of the Health Information Technology for Economic and Clinical Health (HITECH) Act, came the launch of the Meaningful Use program – and the related requirement that healthcare providers show “meaningful use” of a certified EHR to qualify for incentive payments. With both Stage 1 (adoption) and Stage 2 (coordination of care and exchange of information) behind them, hospitals are fully responsible for Stage 3 (improved outcomes) by 2018. While, undoubtedly, the program has improved EHR adoption – in many cases, streamlining and enhancing patient care – it has been widely criticized. In a 2015 news release, the American Medical Association regarded Stage 2 as a “widespread failure,” suggesting it monopolized staff attention without commensurate benefit to patients, and hampered innovation.
Most recently, following highly-publicized remarks in January by CMS Acting Administrator Andy Slavitt that Meaningful Use would be replaced, the U.S. Department of Health and Human Services has proposed transitioning Meaningful Use for Medicare physicians to the “Advancing Care Information (ACI)” program under the Medicare Access and CHIP Reauthorization Act (MACRA). According to Mr. Slavitt, this program is designed to be “far simpler, less burdensome, and more flexible,” primarily by loosening the requirements to qualify for extra payments, and incentivizing providers based on treatment merit, known as Merit-based Incentive Payment System (MIPS). While this update doesn’t yet affect hospitals or Medicaid providers, and these groups should continue to prepare for full Meaningful Use implementation, it’s an indication that industry concerns over meaningful use are being heard and responded to, and that additional changes may be forthcoming.
Guest post by Mike Baker, founder and principal, Mosaic451.
Over the past couple of months, hospitals and other healthcare facilities have come under siege by cyber-criminals. However, the hackers aren’t after patient data; they never even access it. Instead, they are infecting computers with ransomware, a type of malware that locks down a system and prevents the owner from accessing their data until they pay a ransom, usually in Bitcoin. Among the high-profile attacks that have made headlines:
In February, Hollywood Presbyterian Medical Center in Los Angeles fell victim to the Locky virus, which disabled the organization’s computers and kept employees from accessing patients’ electronic health records (EHRs). Access was restored a week later, after the hospital paid a $17,000.00 Bitcoin ransom to the hackers.
Shortly afterward, Methodist Hospital in Henderson, Kentucky, also fell victim to Locky and was forced to declare an internal “state of emergency.” However, instead of paying the ransom, the hospital reported that it was able to restore its data from backups.
In late March, Maryland/DC-based MedStar Health, which operates 10 hospitals and more than 250 outpatient clinics, was hit by an undisclosed ransomware virus that forced the organization to revert to paper records. Like Methodist Hospital, MedStar did not pay the ransom and restored its system using backups.
Although any organization can fall prey to ransomware, lately healthcare facilities have been the primary targets. Some experts feel the problem has reached crisis levels – and hackers are only getting started.
Why Ransomware Attacks are on the Rise
Ransomware is growing in popularity because it is far more lucrative than more traditional cyberattacks where hackers access and steal data. Once the data is stolen, the hacker must find a buyer. Then, the hacker has to negotiate a price. Conversely, in a ransomware attack, the hacker has a built-in “buyer” — the owner of the data, who is not in a position to negotiate on price.
Ransomware is also a simpler and quicker mode of attack than a data breach. Once a hacker has breached a system, downloading a large data set can take some time, during which the attack could be identified and halted. Because ransomware never actually accesses a system’s data – it just locks it down – it works far more quickly and covertly. Victims have no idea they have been compromised until they find they cannot access their system.
Guest post by Cody Jaster, digital marketing manager, Netsurion.
The word “ransomware” has been in the headlines quite a bit this year. The Institute for Critical Infrastructure Technology (ICIT) has even called 2016 the year of ransomware.
Ransomware is a company’s worst nightmare. This malware infects computers and restricts the users from accessing any of their data until paying the ransom. Imagine a hospital unable to access patients’ data or a financial institution unable to manage their customers’ accounts? What would you do to get that data back? Victims of ransomware have been presented with the following choices: Restore their backups (if they had any and if they do, it takes quite a few days to retrieve it all) or pay the ransom to get the data back. Assuming they get the data back, at that point these businesses have had operations grind to a halt for days, spent money on retrieving this data and most of all, their reputations have taken a hit.
Take action before being the next victim. In addition to having remote-managed network security as your first line of defense against ransomware, here are a few things you can do yourself to protect your business.
Preventative and Proactive
The number one preventative measure calls for regularly updated system backups (stored off-site or cloud-based)
Keep software updated, including patches, antivirus, firmware, flash, etc. A large number of malware or ransomware access systems via security gaps posed by out-of-date software.
If possible, filter incoming mail with .exe, .vbs, or .scr attachments to a quarantine folder if these types of files are normally contained in everyday business communications, otherwise, mark as spam or auto-delete
Ensure your business locations have a properly configured and actively managed/monitored firewall
Staff Training and Education
Build a culture of security by having employees and staff educated to identify and refrain from opening suspicious attachments in email
Update computer system settings to show file extensions and train staff to recognize suspect files. This will help expose many executable files that have been disguised as .doc.exe or .pdf.exe to appear as legitimate and safe files when settings do not show the entire extension.
Provide individual accounts for each user, with minimal privileges for only necessary system access. Educate staff to not share user accounts and passwords.
Disable public-facing remote access for all critical systems
For systems with remote access, enable two-factor authentication to prevent attacks
Properly configured network segmentation prevents the spread of ransomware from compromised machines to other critical systems and devices on the network
Quite a few ransomware programs require an encryption key from external Internet sites to encrypt your files. Enact strict firewall rules with web filtering to limit access to these sites
Ensure your managed firewall is actively managing and monitoring all inbound and outbound traffic