Every person, from the newest employee to the CEO, can either strengthen or weaken an organization’s security posture. For this reason, healthcare companies need to help their employees take precautions against the latest ransomware scams, otherwise their organization may be the next ransomware victim.
One of the main reasons healthcare has become such fertile ground for ransomware hacks is the shift to digitalized personal healthcare records in a rapid time frame. Less than ten years ago, most physicians updated patient records manually and stored them in color coded file systems. By the end of 2017 industry data suggests that approximately 90 percent of office-based physicians have moved to electronic systems (electronic health records/electronic medical records) for the storage, retrieval and management of electronic health data. Virtually all of these systems are online and internet accessible. Electronic healthcare medical records really made the healthcare industry a perfect target for ransomware attempts.
But, the cost of a ransomware attack goes far beyond any extortion payment. When considering the associated costs including downtime, lost revenue, angry patients or customers, attack mitigation and recovery expenses, brand reputation damage, and non-compliance fines, in retrospect the cost of the ransom itself may seem trivial.
When United Kingdom’s National Health Service (NHS) was impacted by the global WannaCry outbreak of 2017, it brought hundreds of NHS facilities to a standstill for several days, resulting in the cancellation of thousands of appointments and operations, as well as the urgent relocation of patients from impacted emergency centers. In April 2017, Erie County Medical Center lost access to 6,000 computers due to a ransomware attack, which resulted in six weeks of manual operations and a recovery process that ultimately cost the medical center $10 million.
Unfortunately, security technologies can only do so much to protect your organization against an attack. Ransomware typically spreads through phishing emails or by visiting an infected website. Even the most advanced antivirus and anti-ransomware solutions can’t stop Fully UnDetectable (FUD) threats that were conceived by cybercriminals to directly evade existing security layers and harm data. In fact, the majority of ransomware victims have some traditional Anti-Virus and Anti-Malware protection in place and yet still fall prey to attacks.
Even if your organizations has backups, you may be surprised to find that you are still vulnerable. Today, many criminals do reconnaissance on their victim’s network and compromise backups before deploying the encrypting malware to increase the odds that the organization will pay the ransom.
But paying the ransom doesn’t always work out either. A study by the CyberEdge Group shows that of the 39 percent of ransomware victims who have paid, less than half recover their data. It also leaves the victimized organization vulnerable to another attack. If the root cause of the breach is not corrected, another day can bring another ransom request.
Ultimately, it is up to your organizational leaders to decide whether or not to pay. Healthcare organizations are a favorite target of cybercriminals because they are more likely to pay up when computer downtime can introduce life or death consequences. Regardless of your position on paying cybercriminals a ransom, the best strategy is to avoid being placed in a compromised position in the first place. But how?
Obviously, all healthcare organizations want to avoid being a ransomware victim, but cybersecurity is a complex problem that requires multiple layers of defenses. Small to medium size healthcare organizations are particularly vulnerable since many believe they don’t have adequate financial or technical resources to defend themselves against the onslaught attacks.
Industry experts estimate that a company with 50 employees may have to spend upward of $50,000 to deploy sophisticated endpoint technologies such as antivirus, anti-malware software and firewalls to keep intruders out and then thousands of dollars each year to keep everything up to date. Even when making this investment in security, it doesn’t guarantee a breach won’t happen. Just one wrong click by an employee is all it takes.
5 Ransomware Prevention Tips to Help Employees
In the face of this rapidly-growing threat, healthcare organizations should take concrete steps to deploy the technologies needed to protect systems from ransomware attacks. But employees need to educated on how ransomware is distributed and taught how to be cautious when clicking on online advertisements or email links, visiting a new website, and opening attachments from unfamiliar or suspicious senders.
Guest post by: Jared Rhoads, Senior Research Specialist in CSC Healthcare.
There is no gentle way to put it—cyber criminals from around the world are out to steal your personal health and financial information. And, if recent studies are an accurate reflection of the state of security in the healthcare industry then criminals have ample opportunity to do harm.
The past five years has seen rapid growth in the digitization of healthcare records and the online sharing and transmission of personal and financial data. Healthcare organizations have taken many of their information capabilities online, and they have embraced new technologies like portable media and mobile computing. However, they have not always been able to keep up with leading edge security practices.
Experts warn that the healthcare industry lags in addressing known problems and implementing basic remedies. Many hospitals and practices, for example, have been slow to encrypt their data sources properly and to deploy basic network monitoring. An investigative report by The Washington Post found cases of medical staff at hospitals using unsecured computers to connect both to internal networks and the public Internet. A 2012 government review of industry security cautioned that the way in which some organizations offer remote connectivity to physicians could introduce additional security risks.
Inadequate security practices have enabled cyber crime activity to thrive. According to the federal government, an unprecedented 21 million Americans have had information from their medical records lost or stolen since 2009. Nearly three-quarters of healthcare organizations report having experienced some kind of data breach or security incident in the past 12 months, and 94 percent of report at least one data breach in the past two years.
While not every data breach is necessarily a case of cyber crime, the incentives attracting cyber criminals to the scene are high. According to the World Privacy Forum, a stolen medical record now has a street value of roughly $50, compared to $14-18 for a credit card number or $1 for a Social Security number. Thieves use the rich medical and financial information to commit various forms of identity theft, including receiving free care, filing false patient claims to payers, and forging prescriptions.
Fortunately, medical-related cyber crime is receiving increased attention and awareness is on the rise. Healthcare organizations are beginning to move beyond simple risk assessments and venture into implementing more sophisticated anti-cyber crime solutions.
To address vulnerabilities and combat cyber crime, organizations need to take aggressive action and augment their security strategy using a variety of new approaches and technologies. Here are six ideas that all healthcare organizations can consider in 2013:
Implement automated network monitoring tools. Use automated tools to assess network vulnerabilities and monitor for breaches and unauthorized activity. Monitor key egress points to see what is being sent outside the walls of the organization, where and when it is being sent, and to whom it is being sent.
Deploy adaptive multi-factor authentication. Biometric patient identification systems based on fingerprints, palm vein patterns and other physical attributes can help guard against certain types of medical identity theft and insurance card fraud. User authentication requirements should also change dynamically based on where users are logging in from and what they are trying to access.
Consider outsourcing some or part of your security needs. Researchers at the Ponemon Institute have found that roughly a third of health organizations admit that they do not have the technology, budget or trained personnel necessary to handle today’s security challenges. Managed security service providers (MSSPs) offer a cost-effective way to have 24-hour network monitoring, incident tracking and immediate incident response.
Offer training, guidance, and approved versions of mobile apps for employees. Role-based employee training on mobile device security and guidance is critical to maintaining good security practices. Additionally, hospitals can offer enterprise versions of mobile apps and provide safely partitioned areas of the network for the apps to run upon.
Patch, secure, and monitor medical devices. Medical devices such as IV pumps, pacemakers, and bedside equipment are a new target of choice for cybercriminals seeking to wreak non-financial havoc. To combat this threat, ensure that devices are virus-free prior to installation, and encourage biomedical engineering teams to communicate freely with IT support teams.
Consider cyber insurance. New insurance products are coming to market that are designed specifically with healthcare organizations and HIPAA-covered entities in mind. Policies can defray breach-related costs, such as legal defense, privacy notification and even federal fines and penalties.
Cyber crime is a serious threat to health IT security, and it is unfortunately not going away anytime soon. However, by moving beyond the simple risk assessment and adopting a multi-faceted security strategy, prudent healthcare organizations can take significant steps to protecting their patients’ information and mitigating risk.
Jared Rhoads is a Senior Research Specialist in CSC’s Healthcare group. He consults, researches, and writes on a broad array of topics relating to healthcare technology, trends, and legislation.