For the second straight year, ransomware attacks accounted for over 70 percent of all malware incidents in the healthcare sector, according to the recently issued 2019 Verizon Breach Investigations Report. Beazley reported that almost half of the ransomware incidents reported in 2018 involved healthcare companies, while CSO Online estimates that healthcare-related malware attacks will likely quadruple by 2020.
Adding salt to the wounds, a private practice in Battle Creek, Michigan, was forced to close its doors in the aftermath of a devastating healthcare ransomware attack in 2019—the first public report of a ransomware-related business failure. Every day we read about another headline breach in healthcare.
Being in the ransomware hot seat is a lot to swallow for an industry responsible for the security of our most sensitive data. And therein lies part of the problem. Cybercriminals are always after the most lucrative targets and they have learned that healthcare providers are more likely to pay the ransom to get their patients’ data back.
CEO of A1care, Percy Syddall, a 25-year healthcare veteran who helps grow and manage businesses in the Home Care field is sharing his story to help others avoid the business disruption and financial woes caused by cybercriminals. Syddall said, “I always strive to do what is best for my clients, which includes leveraging innovative technologies and maintaining the privacy of their personal data. Still, our company was attacked by ransomware, which almost forced us out of business. The cybercriminals threatened to expose private client data if we did not pay the ransom.”
“The hardest thing I’ve ever had to do was call each client and explain that the personal information they trusted my business to protect, may have been compromised. At that time, very little was known about ransomware and I ended up paying the ransom to get my client data back,” continued Syddall.
Even though medical records contain rich personal health information (PHI) that can be sold for high value, cybercriminals are discovering they can get faster payment through ransomware. Unlike stolen medical records that take time to acquire and commoditize, ransomware locks healthcare professionals out of critical systems and demands payment or immediate action.
The threat of ransomware being used as a highly effective form of cyber terrorism has been receiving a lot of media attention lately. The story line stems from a recent Lloyds of London report that boldly states a large-scale ransomware attack could cost the global economy $193 billion and impact more than 600,000 businesses worldwide.
The report further speculates that if coordinated and executed properly, a global attack like WannaCry could cause even more severe damage and cost companies significantly more when you factor in all the business disruption and recovery related costs that would follow in the wake of a wide-scale attack.
With doomsday projections like these, it’s easy for people to become numb to the associated cyber security risks. Yet security professionals must always remain objective when assessing the scope of a threat versus the cost of implementing security measures to arrive at a risk-based recommendation.
What is ransomware terrorism?
Terrorism is broadly defined as the use or threat of violence that aims to spread fear in a population, and to advance a political, ideological or religious cause. Ransomware can be used in this context to disrupt the life of individuals and organizations, which depend on the smooth functioning of information technology to maintain operations.
While historically, the main goal of ransomware has been to extract, or extort, money or other valuable consideration from the affected party. NotPetya made us aware that there is a lot more damage an attacker could do with access to an army of computers spread across the globe than just turning them into bricks.
To prevent or avoid the consequences of an attack of terrorism, the defenders must effectively repel every single attempt to perpetrate the crime. Ultimately, the attackers only need to overcome the defenses once in any given situation to prevail.
Exploring the potential impacts of ransomware terrorism
In the proposed scenarios created by the Cyber Risk Management (CyRiM) project and Cambridge Centre for Risk Studies (CCRS), put forth in the report called, “Bashe Attack: Global infection by contagious malware,” a ransomware terrorist attack could be launched through an infected email, which once opened would be forwarded to all stored contacts.
Then within 24 hours, the malware could encrypt all data on 30 million devices worldwide. In the worst case scenario of the event, even the backups would be erased—meaning companies of all sizes would be forced to pay a ransom to decrypt their data or replace their infected devices.
It is easy to conceive that a ransomware attack on this scale would cause substantial economic damage to a wide range of business sectors through reduced productivity and consumption, inaccessible data files, IT clean-up costs, ransom payments and supply chain disruption.
The moral of the story according to Lloyds is that all businesses should pay close attention to systemic risk across all lines of business, not just within the silo of cyber and businesses should buy insurance to help protect against such catastrophic scenarios.
Every person, from the newest employee to the CEO, can either strengthen or weaken an organization’s security posture. For this reason, healthcare companies need to help their employees take precautions against the latest ransomware scams, otherwise their organization may be the next ransomware victim.
One of the main reasons healthcare has become such fertile ground for ransomware hacks is the shift to digitalized personal healthcare records in a rapid time frame. Less than ten years ago, most physicians updated patient records manually and stored them in color coded file systems. By the end of 2017 industry data suggests that approximately 90 percent of office-based physicians have moved to electronic systems (electronic health records/electronic medical records) for the storage, retrieval and management of electronic health data. Virtually all of these systems are online and internet accessible. Electronic healthcare medical records really made the healthcare industry a perfect target for ransomware attempts.
But, the cost of a ransomware attack goes far beyond any extortion payment. When considering the associated costs including downtime, lost revenue, angry patients or customers, attack mitigation and recovery expenses, brand reputation damage, and non-compliance fines, in retrospect the cost of the ransom itself may seem trivial.
When United Kingdom’s National Health Service (NHS) was impacted by the global WannaCry outbreak of 2017, it brought hundreds of NHS facilities to a standstill for several days, resulting in the cancellation of thousands of appointments and operations, as well as the urgent relocation of patients from impacted emergency centers. In April 2017, Erie County Medical Center lost access to 6,000 computers due to a ransomware attack, which resulted in six weeks of manual operations and a recovery process that ultimately cost the medical center $10 million.
Unfortunately, security technologies can only do so much to protect your organization against an attack. Ransomware typically spreads through phishing emails or by visiting an infected website. Even the most advanced antivirus and anti-ransomware solutions can’t stop Fully UnDetectable (FUD) threats that were conceived by cybercriminals to directly evade existing security layers and harm data. In fact, the majority of ransomware victims have some traditional Anti-Virus and Anti-Malware protection in place and yet still fall prey to attacks.
Even if your organizations has backups, you may be surprised to find that you are still vulnerable. Today, many criminals do reconnaissance on their victim’s network and compromise backups before deploying the encrypting malware to increase the odds that the organization will pay the ransom.
But paying the ransom doesn’t always work out either. A study by the CyberEdge Group shows that of the 39 percent of ransomware victims who have paid, less than half recover their data. It also leaves the victimized organization vulnerable to another attack. If the root cause of the breach is not corrected, another day can bring another ransom request.
Ultimately, it is up to your organizational leaders to decide whether or not to pay. Healthcare organizations are a favorite target of cybercriminals because they are more likely to pay up when computer downtime can introduce life or death consequences. Regardless of your position on paying cybercriminals a ransom, the best strategy is to avoid being placed in a compromised position in the first place. But how?
Obviously, all healthcare organizations want to avoid being a ransomware victim, but cybersecurity is a complex problem that requires multiple layers of defenses. Small to medium size healthcare organizations are particularly vulnerable since many believe they don’t have adequate financial or technical resources to defend themselves against the onslaught attacks.
Industry experts estimate that a company with 50 employees may have to spend upward of $50,000 to deploy sophisticated endpoint technologies such as antivirus, anti-malware protection software and firewalls to keep intruders out and then thousands of dollars each year to keep everything up to date. Even when making this investment in security, it doesn’t guarantee a breach won’t happen. Just one wrong click by an employee is all it takes.
5 Ransomware Prevention Tips to Help Employees
In the face of this rapidly-growing threat, healthcare organizations should take concrete steps to deploy the technologies needed to protect systems from ransomware attacks. But employees need to educated on how ransomware is distributed and taught how to be cautious when clicking on online advertisements or email links, visiting a new website, and opening attachments from unfamiliar or suspicious senders.
When it comes to cybercrime, online attacks often follow seasonal trends. So as the kids head back to school, it’s safe to assume that cybercriminals have learned and developed some new ransomware tricks that will be coming to a computer near you this fall.
If you are like most healthcare organizations, you’re probably not prepared to deal with this new wave of attacks. Amongst the endless flow of sensationalistic cyberattack headlines, including NotPetya and the Erie County Medical Center, it’s easy to become numb to the threat of ransomware—choosing to believe that your organization is either too small to be a likely target or that your existing cybersecurity measures provide adequate protection. Unfortunately, this optimism has led to the peril of many healthcare providers and in turn the patients they serve.
When a ransomware disaster struck A1Care 12 years ago, CEO Percy Syddall wasn’t sure how hackers evaded his company’s defenses. All he knew was that A1Care’s computers were locked down and the perpetrators who promised to restore the system upon payment kept changing their demands. Each day the problem went unsolved further disrupted the in-home elderly care, facility placements and case management services that A1Care’s clients depended upon and threatened to destroy the business Syddall had worked so hard to build.
The Rise of Ransomware
The biggest cybersecurity concern used to be hackers invading healthcare systems to steal sensitive patient data and then selling it to the highest bidder. But today, one of the easiest assaults on a computer system is ransomware—a debilitating attack through which an anonymous criminal encrypts your files and then forces you to pay them whatever amount they request in order to regain access to your system—and all the important files it may contain.
SonicWall recently reported there have been 181.5 million ransomware attacks during the first six months of 2018, which marks a 229 percent increase over this same time frame in 2017. Encrypted threats are up 275 percent over last year.
Why has ransomware become the primary cyber threat out there? Most experts point to four primary factors:
Finding a buyer: The key to any successful transaction is finding a buyer that is willing to pay to acquire whatever it is that you are selling. When it comes to selling data on the dark web, searching for a buyer is tricky and comes with many risks. Selling something directly to the person you stole it from improves the odds of getting paid quickly and quietly.
The US government: In 2017, Shadow Brokers compromised government security defenses and delivered to the world the tools the NSA had been using to break into computers of its adversaries. Created at a huge expense to American taxpayers, those cyberweapons have now been picked up by hackers from North Korea to Russia and are being used against businesses and civilians. The WannaCry attack was born from these tools, as was the Petya attack which shut down millions of computers across the globe with demands for payments in order to restore access.
Cryptocurrency: In the old days, collecting a ransom involved suitcases full of cash (containing bills that could be marked) or wire transfers (which could be tracked). The cash then had to be laundered, which meant only large criminal organizations typically had the necessary resources. Today, anyone can sign up for a cryptocurrency wallet in a matter of minutes—some criminals even provide their victims with simple to follow instructions. With cryptocurrency, neither the wallet nor the resulting transactions can be easily connected to any real-world identities.
Ransomware-as-a-Service: Once upon a time, cybercriminals had to develop their own malware, which required coding skills and at least some knowledge of operating systems, networking and hardware. Now, easy-to-use “ransomware as a service” can be purchased cheaply on the darknet. Some vendors even offer customer support for buyers of their malware. And would-be hackers who want customized ransomware can hire black-hat coders for its development.
Healthcare is a favorite target for hackers
Smaller healthcare organizations are an easy target for hackers because most don’t have adequate financial or technical resources to defend themselves against the onslaught attacks. According to Cryptonite, healthcare organizations have reported an 89 percent year-over-year increase in ransomware attacks.
No healthcare provider wants to be a victim of an ransomware attack, but cybersecurity is a complex problem that requires multiple layers of defenses. Many owners of healthcare organizations feel they can’t afford to keep their practice safe because it typically requires deploying sophisticated endpoint technologies such as antivirus, anti-malware software and firewalls to keep intruders out and then hiring resources to keep up with frequent software, data backups and equipment security updates, as well as providing security training for staff.
Industry experts estimate that an organization with 50 employees may have to spend upward of $50,000 to have the best possible protection against cyberthreats and then thousands of dollars each year to keep everything up to date. But even when organizations make this investment in security, they might still have a breach.
Minding the security gap
Hackers are becoming extremely resourceful and have found ways to circumvent even the most advanced antivirus and anti-ransomware solutions. These solutions cannot protect against Fully UnDetectable (FUD) threats that were conceived by cyber criminals to directly evade existing security layers and harm data.
Recent Tenable research reveals, “cybercriminals have a median seven-day window of opportunity during which they can exploit a vulnerability to attack their victims.” Ponemon’s 2017 State of Endpoint Security Risk Report suggests that 69 percent of organizations don’t believe their antivirus can stop the threats they’re now seeing. Even FireEye reports “… in 100 percent of the breaches to which [they] responded … firewalls and antivirus protections were up to date.”
Antivirus software monitors for the signatures of known threats, so it can’t deal in real-time with all of the fresh attacks constantly evolving in dark web incubators. Other behavior-based security approaches use machine learning to identify threats. For example, if an email attachment tries to access a large number of files quickly or an unexpected file starts encrypting files, a behavior-based approach tries to shut it down. Today’s attackers simply avoid detection by changing the predictable characteristics of ransomware—slowing down or randomizing encryption or lying dormant for a period of time before executing the attack.