Ransomware can hit any type of organization or business. Cybercriminals count on the fact that many victims will choose to pay the ransom, especially if the stolen or encrypted data isn’t recoverable any other way. But hospitals, health agencies, and medical facilities can be particularly exposed to ransomware as they hold sensitive research information and patient data that they can’t afford to lose. That’s especially true now as the global medical community is focused on containing the spread of the coronavirus.
SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium)
Health and medical facilities have been tempting targets for cybercriminals, according to a recent survey commissioned by Keeper Security and conducted by the Ponemon Institute. Almost two-thirds of healthcare organizations around the world have experienced a cyberattack in their lifetime, with 53% hit within the last 12 months.
Healthcare data breaches resulted in an average of 7,202 patient and employee records lost or stolen, with collective losses of around $1.8 million due to the disruption of normal operations. Based on the survey, a full 90% of healthcare organizations dedicate less than 20% of their IT budget to cybersecurity.
“Electronic health records are some of the most lucrative documents on the dark web, so it’s not surprising that the healthcare industry is highly-targeted by cybercriminals,” Darren Guccione, Keeper CEO and co-founder of Keeper, said in a press release. “While the majority of healthcare organizations have already experienced a cyberattack, this research shows the industry still doesn’t have the necessary resources and budget allocated to preventing and responding to major data breaches. Patients depend on providers to protect their sensitive health information and moreover, their lives via connected medical devices.”
Looking at ransomware specifically, one of the most common forms is “crypto ransomware,” according to David Friend, CEO of cloud storage company Wasabi. This type of attack encrypts critical files or an entire hard drive to prevent users from accessing them. If the data hasn’t been backed up, the victim faces a choice between paying the ransom or losing the information. This is especially problematic if the data involves sick or dying patients or holds the key to an antiviral vaccine.
“It’s a matter of life and death if medical research, hospital data, or emergency response information is held hostage,” Friend said. “Because it’s a matter of life and death, cybercriminals know that emergency response organizations are more likely to pay. Because of HIPAA, hospitals are more sensitive to this type of thing, and with patients’ lives on the line, they may be more willing to pay out to get their files back quickly.”
Hospitals and medical facilities are also being taxed because of the coronavirus. In that vein, workers can easily become so preoccupied with other matters that they fail to pay the necessary attention to potentially malicious emails.
“Healthcare organizations are especially targeted because hospital staff may likely be stressed, tired, or hyper-focused on the health crisis, which may dilute their effectiveness or distract them from daily IT security processes and procedures,” Guccione said. “It is important for hospital IT staff, even during a crisis, to follow established protocols so they can stay disciplined and focused.”
Downtime is always an issue in the event of a ransomware attack. Even if the data is recoverable, either through the attacker or through some other means, the victims end up wasting precious time and resources trying to bounce back from the attack. In the case of a business, the loss is typically financial. But with medical and health facilities, the cost of downtime can be measured in the health and lives of patients, Friend pointed out.
Like other organizations hit by ransomware, hospital and medical facilities face the difficult decision of whether or not to pay the ransom to recover data. Even if the ransom is paid, there’s obviously no assurance that the criminals will “honor their word” to restore the files. However, if lives are on the line, do you take that chance?
“Cybercriminals want your money, not necessarily your data,” Friend said. “[But there’s] no guarantee that the criminals will decrypt the ransomed files after they are paid. In fact, most cybercriminals don’t decrypt because they want to minimize the evidence that might lead the investigators back to them.
“If the odds are against your data being decrypted, why pay the ransom? In the case of global emergencies where life and death are on the line, victims of ransomware are more willing to take the chance and pay the ransom than not pay and know deaths can result.”
How to prevent ransomware attacks
Help IT people do their jobs. To protect themselves against ransomware, hospitals should first make sure IT employees are comfortable, meaning they should be working in a safe and secure environment, Guccione advised. Second, hospital IT administrators should take the following precautions:
- Inbound emails should be scanned for threats and unknown file types.
- Confirm that all key applications, databases, and servers are running the latest firmware and patch any of those that are not.
- Confirm endpoint security systems and firewalls are working properly.
- If remote workers are being utilized, make sure they are using a secure VPN service.
- Be mindful of increased phishing attacks by email, phone, and text message. Any suspicious emails should be added to a blocked or spam list. Ignore any emails, calls, or messages requesting that you enter login credentials into a system or site. Ignore those same threads that request money, gifts, or payment.
- Make sure that all patient records and patient processing systems are protected–i.e. that they are encrypted both at rest and in transit.
Rely on training. Make sure your employees are properly trained on security, Guccione said. If an attempted or actual cyberattack occurs, it’s critical to follow those training procedures no matter how stressful the situation may get. Taking shortcuts and not following the proper protocol will only create opportunities for cybercriminals to exploit the situation.
Back up, back up, back up. The best way to prevent ransomware is to be proactive, meaning take the necessary precautions before such an attack occurs, according to Friend. To do that, you need to regularly back up your critical data so you can restore it if necessary.
Backup data is not totally immune to ransomware, Friend said. That’s why you want to keep multiple versions of your backups with different recovery points and at different locations. A good guideline for backing up data is the “3-2-1 rule.” That means you keep three separate backups of your data, two on different media, and one offsite.
Use the cloud. Cloud storage offers quick access to offsite data, prompting many organizations to use it as part of their 3-2-1 strategy, Friend said. Storing data in the cloud can be less expensive than storing it on-premises, and adds an extra layer of protection. However, even cloud-based data can fall victim to ransomware.
Files that are infected on a company computer or other device can unknowingly be uploaded to the cloud as part of a backup. In some examples cited by Friend, cybercriminals were able to access an organization’s network through vulnerable remote desktop services and thereby obtain cloud credentials. From there, they managed to delete previous backups or download them to their own servers.
Even organizations that use a cloud service for backups must adopt a shared responsibility with the cloud provider for security. That means you need to use network monitoring software and intrusion detection systems to guard against any type of unauthorized access.
Consider immutable buckets. Some cloud-based services let customers create immutable storage buckets of data for a certain period of time. “Immutable” means that any data written to that bucket cannot be deleted or altered in any way, by anyone, throughout its storage lifetime, according to Friend. As such, these buckets prevent encryption by crypto ransomware. The advantage to hospitals and medical facilities is that these storage buckets comply with specific government regulations such as HIPAA.
“[Finally,] if your systems are compromised with ransomware, we recommend that you do not pay the ransom,” Guccione suggested. “Cybercriminals frequently don’t release access after a ransom is paid. Don’t trust them. Instead, take the necessary precautions and internal control measures regarding file backup, recovery, and incident response.”