Guest post by Stu Sjouwerman, founder and CEO, KnowBe4.
A story about hospital ransomware or a compromised computer seems to emerge weekly. It is no surprise that healthcare breaches have been on a steady increase for the past five years. Loss of personal health information (PHI) poses a financial risk for health care institutions, expected to cost the industry in the neighborhood of 6.2 billion dollars.
By the numbers
Despite the prevalence of cybersecurity incidents, a study by Ponemon Institute in May 2016 showed that the majority of healthcare organizations and business associates were most concerned with negligent or careless employees causing healthcare data breaches.
Sixty-nine percent of healthcare organizations believe they are more vulnerable to a data breach than other industries.
When asked what the greatest threat was to healthcare data security, the majority of healthcare organizations stated employee inaction or error (69 percent). Rounding out the top three concerns were cybercriminals at 45 percent and the use of insecure mobile devices at 36 percent.
Employee error was also the top concern for business associates (53 percent), followed by use of cloud services (46 percent) and cyberattacks (36 percent).
Ransomware is currently one of the most prevalent threats to Healthcare. A June survey done by KnowBe4 of Healthcare IT professionals shows 44 percent of healthcare organizations have been hit with ransomware, 6 percent above the national average of 38 percent. 65 percent of these IT professionals know someone personally who has been hit and another 47 percent would pay the ransom if faced with a scenario of failed backups. With some healthcare ransomware demanding five figures, this can get pretty expensive.
Why hospitals are the perfect targets
I was interviewed by WIRED magazine’s Kim Zetter. She’s written a great article that analyzes why hospitals are perfect targets for ransomware. She started out with: “Ransomware has been an internet scourge for more than a decade, but only recently has it made mainstream media headlines. That’s primarily due to a new trend in ransomware attacks: the targeting of hospitals and other healthcare facilities.”
Now, Who Else Should Be Scared?
Hospitals have shown themselves to be soft targets and are under full attack by several cybercrime gangs using different attack vectors. The SamSam ransom gang attacks server vulnerabilities in JBoss apps using an open source pentesting tool called JexBoss, so these are targeted attacks are based on scans the bad guys did. Cisco technical background:http://blog.talosintel.com/2016/03/samsam-ransomware.html
That is an exception though; the vast majority of ransomware infections are caused by phishing emails. Next are malicious links and ads leading to compromised websites with Exploit Kits causing drive-by-infections.
These types of spray-and-prey attacks can hit anyone. When the bad guys are done with hospitals, what industry will be next? It’s a good idea to turn yourself into a “hard target” before the crosshairs get turned on your industry.
Should Ransomware Attacks Be Considered Data Breaches?
Now that hospitals suffer from ransomware attacks, are these incidents data breaches that they must report to the HHS Office for Civil Rights?
This is a question that federal regulators and healthcare industry stakeholders must start answering, says David Holtzman, vice president of compliance strategies and security firm CynergisTek and a former OCR official.
In a typical breach incident, hackers are pursuing patient data to try and monetize, he notes. But ransomware hackers are different. They are not interested in exploiting specific patient data, but electronically lock it to interrupt access and extort payment.
However, recently one strain claimed they had exfiltrated files and threatened to make the files public if no ransom was paid. Turns out this was an empty threat, but another newer ransomware strain called Crysis actually started doing this. More here:
So, technically, has the data been compromised? Well, the lawyers are looking at this, so stay tuned.
Ransomware Infection? Get Ready For a Class-Action Lawsuit
Even though a ransomware attack might not exactly qualify as a HIPAA data breach, you can anticipate class-action lawsuits against a healthcare institution for damages caused by the institution’s negligent security practices which led predictably to a loss of data access and thereby to a bad clinical outcome. This risk may very well expand to any industry that is regulated.
It is clear that a ransomware infection can have several bad consequences:
- Immediate losses due to downtime
- High ransom payment if backup/restore turns out to fail
- Possible data breach liabilities
- Lawsuit exposure
So, it becomes more important than ever to:
- Have weapons-grade backup/restore
- Patch all systems religiously
- Deploy new-school awareness training with simulated phishing tests for all users
Domain spoofing – another tactic
Since practically everyone’s personal, confidential data has been hacked and a large part of your work history is available through LinkedIn, it’s easy to merge-purge databases and send highly targeted spoofed phishing attacks to large groups.
Now, healthcare workers are at an even greater risk with lax security standards that allow anyone to “spoof” emails from some of the most-visited domains, according to new research.
Email spoofing — a common tactic of spammers — basically involves forging the sender’s address. Messages can appear as if they came from Google, a bank, or a best friend, even though the email never came from the actual source. The spammer simply altered the email’s “from” address.
Authentication systems have stepped in to try and solve the problem. But many of the top website domains are failing to properly use them, opening the door for spoofing, according to Sweden-based Detectify, a security firm.