Security

The Threat of Ransomware Still Looms Large Over Healthcare

To better protect their data and systems, healthcare organizations must be able to separate truth from fiction.

Mike Chapple is associate teaching professor of IT, analytics and operations at the University of Notre Dame.

Ransomware poses a significant risk to the confidentiality, integrity and availability of critical medical and business records. A single end-user mistake on an undefended network can quickly spread to servers and other unprotected endpoints, rendering critical records inaccessible when they are most needed.

Healthcare providers who find themselves suddenly unable to access patient records face an unpalatable choice: give in to the attackers’ demands and pay an exorbitant ransom to restore access to their data, or risk their ability to deliver care.

Cybersecurity professionals must continue to develop their understanding of the threat posed by ransomware and build robust defenses. Security controls should aim to both reduce the likelihood of a successful attack and boost the organization’s ability to quickly recover data should an attack succeed.

FALLACY: Ransomware tactics have remained the same throughout the years.

Any cybersecurity professional who has spent at least a few years in the field has probably faced a ransomware infection. However, while ransomware itself isn’t new, the technology and tactics that attackers use increase in sophistication every year.

From a technology perspective, ransomware authors constantly shift their tactics to exploit new and emerging vulnerabilities. There’s a cat-and-mouse game afoot between system administrators, who rush to patch newly discovered vulnerabilities, and ransomware authors, who move on to the next attack technique as administrators apply those patches. As ransomware actors incorporate zero-day attacks into their arsenal, they are increasingly able to bypass firewalls and other defenses.

Attackers are also beginning to use different tactics when exploiting compromised systems. Older attacks relied on simple access-based extortion — pay the ransom, or you won’t regain access to your data. Modern attacks now use “double extortion” approaches, where the attackers combine the loss of access to data with the threat of a data breach. Before encrypting data, attackers copy it all onto their servers and threaten to publicly expose sensitive data unless the victim pays the ransom.

FACT: Training users is an effective defense against ransomware.

Most ransomware infections begin with a simple mistake by an end user. That might be clicking a malicious link or responding to a phishing email. Even the most sophisticated defenses may crumble when an authorized user unwittingly holds the door open for an attack.

Fortunately, training goes a long way in defending against these threats. Organizations that educate users about social engineering attacks and equip them with the tools to recognize and resist them find that they are much less likely to fall victim. Security firm KnowBe4 found that organizations that conduct regular anti-phishing exercises can lower their risk by more than 80 percent over the course of a year.

37.9%

The average percentage of employees in organizations without security awareness training who fell victim to a simulated phishing scam.

Source: KnowBe4, “2020 Phishing by Industry Benchmarking Report,” March 24, 2020

FALLACY: Ransomware attacks are starting to dwindle.

Ransomware poses an increasingly prevalent threat to organizations around the world, and the rate of attacks shows no sign of abating. A recent Bitdefender analysis of the cybersecurity threat landscape found that ransomware attacks surged 485 percent from 2019 to 2020. That’s a remarkable increase and sends the clear message that ransomware attacks won’t stop anytime soon.

This boom suggests these attacks must be succeeding, and news reports support that conclusion. Last year, a New Jersey hospital paid a $670,000 ransom to prevent attackers from releasing patient records they had stolen. As long as there’s money to be made, ransomware attacks won’t stop.

FACT: Backups play an important role in ransomware recovery efforts.

Organizations that lose data during ransomware attacks and are forced to pay exorbitant ransoms often find themselves in that situation because they failed to conduct regular backups of their systems and applications. These backups won’t prevent ransomware from gaining a foothold on an organization’s network, but they provide an important safety net if an attack succeeds. Administrators have an alternative to paying the ransom: restoring critical data from backups. Though this process may be time-consuming, it avoids the unsavoriness and risk associated with paying a ransom to criminal attackers.

It’s crucial to remember, however, that backups aren’t foolproof. They increase the likelihood and speed of data recovery, but they offer no protection against double-extortion attacks. If attackers threaten to publicly reveal sensitive data, backups won’t prevent that confidentiality breach.

FALLACY: Ransomware generally doesn’t affect healthcare providers.

Attackers targeted healthcare providers from the earliest days of ransomware. In fact, the first known ransomware outbreak was targeted at healthcare providers in 1989.

Decades later, hospitals, health systems and other providers remain squarely in the crosshairs of ransomware attacks. In March, a New York-based healthcare provider reported a serious ransomware infection affecting medical records and other patient information. The company reported that more than 750,000 records were exposed for residents of Maine alone, and the full extent of this breach probably reaches into the millions.

Two factors make healthcare organizations extremely attractive targets for ransomware. First, losing access to data can present a dire situation with life-or-death consequences, creating a sense of urgency for the victim to regain access. Second, healthcare organizations are well funded and able to pay significant ransoms.

There’s no end in sight to ransomware attacks, and cybersecurity professionals must continue to build robust defenses to protect their organizations.

Chris Gash/Theispot