Sep 21 Is Your Healthcare Facility a Target for Ransomware?
Ransomware is a type of computer malware that limits or prevents data access. It either locks the system’s screen or locks user files until the victim pays a ransom to the cyber criminals.
A 2016 study by Osterman Research found ransomware attacks most prevalent among financial services and healthcare industries. The same study noted that this isn’t especially surprising since both industries rely heavily on critical, sensitive data. Without access to this data, both the financial and healthcare industries can grind to a halt.
Of course, healthcare facilities cannot stop caring for patients, so the crucial question is what they can do to protect themselves. According to Becker’s Health IT, 12 US healthcare organizations were victims of ransomware attacks in 2016, and 88% of those were hospitals.
One notable attack at Hollywood Presbyterian Medical Center in California locked employees out of the electronic health records for a week, forcing employees to revert to handwritten forms and paper records. The hospital eventually paid a $17,000 ransom to release data.
Besides an ethical challenge, paying ransom does not guarantee that the hacker will restore your data and it does not guarantee they won’t attack your facility again. Access to sensitive information disrupts operations, causes financial losses, seriously damages your healthcare facility’s reputation, and threatens lives.
Is Ransomware The True Problem?
Certainly ransomware poses a threat, but the root of the problem lies within healthcare facilities themselves. It exposes the lack of comprehensive security practices within healthcare networks and endpoints.
Security experts such as Norton and Malwarebytes suggest that ransomware is easily thwarted with proper measures in place. For instance, even if an end user executes a ransomware file unintentionally, files are easily restored from backups if a healthcare facility creates them. Unfortunately, this isn’t always the case.
Healthcare facilities need to regularly assess their risk to mitigate problems. Risks and vulnerabilities are only apparent when organizations regularly categorize their assets and analyze their data transmission methods. With this information available it is possible to formulate a plan to tackle the most urgent vulnerabilities and schedule the less pressing ones.
Healthcare facilities can start the process by analyzing where they store data such as in databases, mobile devices, and cloud storage. They can check information security measures, whether devices properly encrypt data, and review employee access to information.
The Department of Health & Human Services (HHS) requires that all of their organizations conduct a HIPAA security risk analysis for technical safeguard compliance.
The Osterman Research study mentioned earlier found 59% of ransomware infections come from emails; either via a link directing a user to a malicious website or as an email attachment. Consequently, it is imperative healthcare facilities ensure they have up-to-date, properly configured anti-virus software and firewalls to protect data.
Computer systems and third-party or cloud-based vendors must also stay updated. Organizations must also download the latest patches for their web application frameworks, browsers, and plug-ins. Business applications, storage drives, and social media networks must also undergo anti-virus scrutiny.
Additionally, medical facilities often rely on wearable devices or devices used in the home, often easily breached without proper security measures and frequent updates. Both the FTC and the FDA have medical devices on their radar, so organizations should act now to avoid possible legal repercussions and fines later.
Technology is only as reliable as the people who use it. Healthcare facilities need an education program so users recognize potential threats and know what they should or shouldn’t do.
Users need to submit suspicious emails or files to a designated IT or security person and the organization needs to constantly reinforce the security message with users. Users should also report phishing attempts, even when they do not click on a dubious link.
Of course, those responsible for monitoring suspicious files and emails need proper prevention, detection, and response training, too.
Comprehensive Disaster Recovery Plan
Hackers are very resourceful, and every organization needs to prepare for the worst. This includes preparing an incident response plan so your facility can respond quickly to a breach.
It also includes preparing a disaster recovery plan which documents the procedures and processes necessary to recover and protect your organization after a ransomware attack. The plan minimizes recovery time and data loss, and regular verified backups outside of the regular system are integral to the process.
According to the Proofpoint Quarterly Threat Report, ransomware variants increased 4.3 times just in the first quarter of 2017. As security specialists conquer one variant, many more pop up in its place.
Ransomware attacks are also migrating towards new methods instead of principally using email. Now hackers infect targets via Remote Desktop Protocol (RDP) through open ports in computer systems.
The problem is growing so quickly, healthcare facilities must act now. Without proper protocols and security measures, these organizations remain extremely vulnerable with a great deal at risk, including patient lives. While updating technology and implementing proper processes and procedures can take some time, getting a cyber liability insurance policy in place takes only a few minutes and is a great place to start.
Managing risk includes consultation, diagnosis, and proactive planning. Gilbert’s Risk Solutions’ provides no obligation consultations, and we have the necessary experience. We’ve been helping healthcare facilities mitigate their risks for over 160 years, and we can’t wait to help yours, too.