Editor’s Note: This a partnered sponsored guest blog written by Avertium.
How much are you willing to pay to get your personal data back? How about hundreds and thousands of personal data records stored in your company? The impacts of the global pandemic have put the healthcare industry at the top of the list for ransomware threats. In fact, healthcare cyberattacks doubled in 2020, with twenty-eight percent tied to ransomware.
And the truth is, ransomware is one of the most aggressive and damaging forms of cyber-attacks. Not to mention, the threat itself is very adaptable – it is accessible, it evolves fast, and it scales well and is a ransomware gang’s dream to access an abundance of easy money.
The prevalence of the rise in ransomware is well-documented. In a Chainalysis Report, the study found a three hundred and eleven percent increase, year over year, to the end of 2020 in the number of actual ransomware attacks. A study from Deep Instinct finds that malware increased by three hundred and fifty-eight percent in 2020.
Amidst this rise in ransomware, attackers are increasingly turning their focus to healthcare institutions. In an IBM X-Force report, Cyberattacks on healthcare more than doubled in 2020, with ransomware accounting for twenty-eight percent of all attacks. So, despite the strong defenses that attackers would have to face, when life-or-death becomes leverage, the cost of a ransomware attack on healthcare institutions is more than just the demanded ransom amount.
Why ransomware attacks are directed at healthcare institutions
Like many businesses, healthcare institutions were not prepared for a global pandemic. With scarce resources, coupled with intense pressure to treat the onslaught of sick patients, ransomware gangs saw a unique opportunity within the healthcare sector. Why?
- Sensitive data: The healthcare industry holds a ton of personally identifiable information (PII) – from home addresses, phone numbers, credit card numbers, to social security numbers – making it one of the most attractive targets for ransomware attacks.
- Geopolitics: Given that many ransomware gangs come from Eastern Europe and Russia, they often do not attack one another. With geopolitical tension rising between the U.S. and Russia, the Russian government put out an edict to target U.S. healthcare institutions in 2020, painting an even bigger target on the backs of U.S. healthcare institutions.
- Poor security infrastructure, controls, and processes: First and foremost, the mission of healthcare providers is to treat and protect patients. That said, hospitals are businesses, so cybersecurity often is branded as “just another cost center,” which delays the modernization of outdated systems, investment in enhanced controls that protect patient and hospital data, and the consistent enforcement of cybersecurity controls and protocols. In short, when it comes to systems and data, a good number of healthcare organizations are behind from a tech standpoint.
- Lack of incident response plan: While many hospitals have begun modernizing the business infrastructure as well as updating procedures and policies to prevent cyber threats like ransomware, many have failed to devise a plan for what happens when they get breached. It is one thing to stay secure as possible, and it is another to be prepared to sustain business continuity if disrupted.
Cost of healthcare ransomware attacks
According to IBM, nearly one in four of overall cyberattacks last year was ransomware. The increase in data extortion efforts enabled just one of these ransomware gangs, REvil, to make over $123 million in profits in 2020.
Determining the hard costs of a ransomware attack extends far beyond the ransom ask. The overall cost of an attack includes ransom cost + recovery cost + further Human Resources (HR) costs for employees and patient care, as well as many other factors.
The effects can cause an immense profit loss along with long-term damage to a healthcare organization’s brand reputation. Knowing that healthcare institutions are a prime target for attackers, it is important to act before the threat is at your doorstep.
How healthcare institutions can make the business case for ransomware prevention
When making the case to stakeholders, it is important to emphasize the risk of inaction and frame it in the context of the overall business. Start by outlining defining the stakes for your organization:
- Patient safety risk As in the University of Vermont Health Network Attack, the magnitude of the impact was frightening. Ambulances were rerouted, cancer patients’ radiation treatments were delayed, medical records were rendered temporarily inaccessible, and, in some cases, permanently lost. In another attack that occurred in September of 2020, delays caused by ransomware resulted in the death of one patient under critical care. In the best-case scenario, disruptions caused by ransomware are inconvenient and expensive. When placed in a high-stakes context like a hospital, the disruptions become life threatening.
- Financial risk In a 2021 ransomware report, the study found that businesses lose around $8,500 per hour, due to ransomware-induced downtime. Aside from the ransom ask itself, the financial risk multiplies via operational downtime, potential Health Insurance Portability and Accountability Act (HIPAA) penalties, and other factors. It raises an important question: If you are ransomed, will you have the funds to survive it?
- Brand / Marketing risk With today’s threats directly impacting the patients, the reliability of your systems still operating during an attack directly affects patient trust – everything from patient records to the technology used to save lives would be threatened by an attack. Can the organization afford to take that kind of reputational hit? How will the hospital’s “brand” recover from this incident and gain the loyalty and trust of our existing + potential patients again?
- Operational risk Does the organization have the capability to sustain business continuity while under attack? These attacks can absolutely cripple a clinic’s systems. For another health system, attackers held electronic health records (EHR) ransom, forcing the health system to use EHR downtime procedures and rendering its patient portal, EHR, and lab results inaccessible to many of its care sites for well over a month.
What healthcare institutions can do to mitigate the impact of ransomware
With ransomware on a continued rise in the healthcare industry and showing no signs of slowing down, healthcare providers and organizations have expanded the effort to stay protected through third-party tools and partners. Because healthcare institutions, as well as the associated third-party tools and partners, have a massive digital footprint, safeguarding against ransomware is no easy task.
Mitigating ransomware starts with viewing the cybersecurity situation holistically. To build resilience, your organization must be prepared to continue operations and have a plan with critical elements to minimize the impact of a ransomware incident. Here are some of the best mitigation practices to implement, broken down into two categories:
1. Addressing technology factors
2. Addressing the human factor
Healthcare Ransomware Prevention: Addressing Technology Factors
In a 2016 survey by SentinelOne, seventy percent of respondents had to increase information technology (IT) spending, sixty-five percent changed their cybersecurity strategies. Fifty-two percent said they had lost faith in anti-virus solutions.
- EDR + Visibility of Security Analytics Endpoint detection and response (EDR) is a form of security software that monitors end-user hardware devices across a network for a variety of suspicious activities and actions, automatically blocking threats and saving forensics data for further investigation. An EDR platform integrates deep visibility into all that happens on an endpoint system — processes, changes to dynamic link library (DLLs) and registry settings, file, and network behavior — with data aggregation and analytics capabilities that enable threats to be identified and countered by either automated or human processes.
- Data Back-Ups Create backups of critical systems and house the backups offline from the network. This step is critical, as some of the new Ransomware looks for backups and backup routines to disable them before launching the attack. At that point, the business’ only recourse is to have disconnected, offline backups – which are often not up to date.
- Patch Systems Patching operating systems, software, and firmware as soon as manufacturers release updates is vital.
- Disable Unused Devices Unattended devices leave an opening for attackers, so any unnecessary communications equipment, especially any that are remote, should be disabled/unplugged.
- Password Protection Password cracking is one common way that leads to privilege escalation, then to pure chaos. Implementing a “strong password” policy, requiring regular changes to passwords, and never using the same password for multiple accounts may not be convenient, but it is necessary.
- Consistent Authentication Ensure that user identity, authentication, and authorization are consistent.
- Stronger Security + Access Controls Enable multi-factor authentication (MFA), Smart Card, or biometric authentication in addition to secure passwords.
Healthcare ransomware prevention: addressing human factors
Fifty-four percent of healthcare associates say their biggest problem is employee negligence in the handling of patient information according to a Ponemon study.
- Training + Awareness Programs Make employee training on cybersecurity basics a part of your operations on top of providing regular training and access to professional courses to your IT staff.
- Check Cyber Insurance If your organization chooses to have cyber insurance, check the ransomware policy, and get a clear understanding of the scope and requirements that the policy provides. By understanding the full capabilities of the insurance plan, your organization also acknowledges the level of risk you are willing to take on.
- Phishing Attack Tests Deploy simulated phishing attacks (widely available as free online services) that evaluate unsuspecting employees and generate reports on who opens malicious emails, how fast, and what it can mean for your organization if the attack was real.
Ransomware gangs understand the current challenges faced by organizations facing work from anywhere challenges and a collapsed perimeter, and they view this as a segue into extorting data. The time it takes to detect, contain, and respond is very challenging in an unprepared company.
Having a higher level of visibility shines a spotlight on unauthorized users faster, allowing for enhanced containment and stronger, more timely incident response. Security team best practices include seeking industry experts that can help you implement cutting-edge monitoring and detection technology (EDR) to meet the challenges of today and prevent the threats of tomorrow.
Read more on ransomware resources
- Threat focus: What is Ransomware-as-a-service?
- Ransomware vs. Phishing vs. Malware (What’s the Difference)
- The Rise of RaaS Gangs + What You Need to Know
- Threat Detection + Response XDR
- University of Vermont Health Network Attack
- 4 Security Precautions Before Reintroducing Devices to the Network
- Zero Trust
- How to Protect Workers from Increased Phishing Attacks During COVID-19