Taking Health Care Out of the Ransomware Hot Seat
For the second straight year, ransomware attacks accounted for over 70% of all malware incidents in the healthcare sector, according to the “2019 Verizon Breach Investigations Report.” Beazley reported that almost half of the ransomware incidents reported in 2018 involved healthcare companies, while CSO Online estimates that healthcare-related malware attacks will likely quadruple by 2020.
Adding salt to the wounds, a private practice in Battle Creek, Michigan, was forced to close its doors in the aftermath of a devastating healthcare ransomware attack in 2019—the first public report of a ransomware-related business failure.
Being in the ransomware hot seat is a lot to swallow for an industry responsible for the security of our most sensitive data. And therein lies part of the problem. Cybercriminals are always after the most lucrative targets and they have learned that healthcare providers are more likely to pay the ransom to get their patients’ data back.
CEO of A1care, Percy Syddall, a 25-year healthcare veteran who helps grow and manage businesses in the home care field, is sharing his story to help others avoid the business disruption and financial woes caused by cybercriminals. “I always strive to do what is best for my clients, which includes leveraging innovative technologies and maintaining the privacy of their personal data,” he said. “Still, our company was attacked by ransomware, which almost forced us out of business. The cybercriminals threatened to expose private client data if we did not pay the ransom.
“The hardest thing I’ve ever had to do was call each client and explain that the personal information they trusted my business to protect, may have been compromised,” he continued. “At that time, very little was known about ransomware and I ended up paying the ransom to get my client data back.”
Even though medical records contain rich personal health information (PHI) that can be sold for high value, cybercriminals are discovering they can get faster payment through ransomware. Unlike stolen medical records that take time to acquire and commoditize, ransomware locks healthcare professionals out of critical systems and demands payment or immediate action.
Although ransomware has been around more than 10 years, its recent rise in health care is significant as physicians become more dependent on critical, real-time patient data such as scheduling, lab results and pharmacy orders.
Without access to computerized patient data, many hospitals and clinics are frozen in their tracks. Unlike other industries where access to data is not always time-critical, being locked out of patient data can be life-threatening. Data criticality and limited cybersecurity programs make health care a prime target for ransomware, and this risk will continue to increase.
Ransomware on the Rise
A recent survey carried out by the University of Kent found that 41% of respondents hit by this type of malware paid the ransom. Each payment encourages a future generation of attackers. Ransomware takes less time and effort compared to stealing medical records, so the cost versus benefit is favorable for cybercriminals.
Another reason health care is a favorite ransomware target is that many within the industry are using out-of-date systems and applications, and most struggle with asset management, vulnerability management and patch management due to tight budgets and limited information security resources. Easy targets make good targets.
Light at the End of the Tunnel
While it may seem all doom and gloom for an industry that faces so many IT and privacy challenges, there are signs that indicate healthcare organizations are taking the challenge seriously and doing everything within their power to turn the tides.
In several recently reported breaches involving ransomware attacks, providers recovered without paying a ransom to extortionists. This offers a glimmer of hope that healthcare organizations can defend themselves adequately against such incidents.
In Syddall’s situation, he was able to take a proactive stance against ransomware using the advice he gained from a company that specializes in helping SMBs make the most of their information security budget and resources. Being aware of the threats and taking the appropriate actions is key to putting a lid on increasingly sophisticated forms of cyberattacks. While there are no silver-bullet solutions, taking a layered approach to cybersecurity can pay dividends.
“Having a knowledgeable security advisor helped me sort through a jungle of suggestions and products being pushed by vendors,” he said. “This allowed us to develop an innovative strategy that I felt confident could protect my clients’ data using a layered approach and innovative technologies—all within a budget that is reasonable for a business my size.
“Within a few weeks, I had state-of-the-art ransomware and data protection solutions seamlessly installed and configured throughout our office systems,” he added. “Equally important, A1care was able to continue to run business as normal and provide the best care to clients during installation, which was paramount to our success and reputation.”
Syddall’s statements echo the sentiments of many in the industry who just want to focus on helping patients, not triaging ransomware and other cybersecurity emergencies. Getting advice from the right security experts, employing innovative technologies, taking a layered security approach and having appropriate backup procedures are just a few of the steps organizations can take to cure the ransomware epidemic. Equally important is end-user education: Every employee should be aware of proper security protocols.
Broadly speaking, there’s still work to be done in 2019. We’ve seen some small wins, but to take health care out of the ransomware hot seat, it will take a much bigger effort from business and IT leaders in this sector before they can declare any major victories.
