A sharp rise in ransomware is buffeting the health care sector and forcing IT security professionals to reevaluate how they tackle the threat.
Of those hit by ransomware in the last year, 65% said the cybercriminals succeeded in encrypting their data in the most significant attack. Just over a third (34%) of those whose data was encrypted paid the ransom to get their data back in the most significant ransomware attack.
Another 7% said the data was not encrypted, but the organization was still held for ransom. This is because some attackers are turning to extortion-style attacks, which means that instead of encrypting files, they steal and then threaten to publish data unless the ransom demand is paid.
That approach requires less effort on the attackers’ part, as no encryption or decryption is needed, and adversaries often leverage the punitive fines for data breaches in their demands in a further effort to make victims pay up.
The average bill in the health care sector for rectifying a ransomware attack, considering downtime, personnel, device cost, network cost, lost opportunity, ransom paid, etc. was $1.27 million.
However, the survey results revealed that on average, less than 69% of the encrypted data was restored after the ransom was paid.
An Ounce of Prevention
Kevin Dunne, president at Pathlock, said in terms of preventing ransomware from entering the network, it is important to minimize users’ ability to download unknown information to devices in the network, back up all key systems regularly, and plan for contingencies in the event critical systems are unavailable for a short period of time.
“Health care organizations should also monitor all privileged accounts and critical systems for unusual behavior and educate users on typical phishing attacks, which are often a source of ransomware,” Dunne said. “In terms of preventing damage once ransomware has found its way on the network, security leaders should be putting into place practices and procedures related to backing up infrastructure from storage.”
He pointed out that security professionals often focus undue effort on how to respond once ransomware has made its way on to the network, rather than working to prevent it from entering the network in the first place.
“Even in the event you can restore your systems from a backup, that often means the ransomware group has made off with your critical data, which might include sensitive financial, customer, employee or patient information,” he said. “ Security professionals need to focus on how to keep the ransomware off the network in the first place, which often hinges around a well-implemented identity program built on a zero-trust philosophy.”
According to the Sophos survey, most organizations not hit by ransomware nevertheless expect an attack in the future. The good news is that 89% of health care organizations already have a malware incident response and recovery plan in place.
Health care is one of the sectors most likely to pay a ransom, which the report indicated may be due to the pressures on health care teams to ensure continuity of services.
The survey also revealed health care’s high rate of ransom payment may also be due to the inability of organizations in this sector to restore their data from backups.
Globally, 57% of organizations whose data was encrypted were able to restore their data from backups, but this compared to just 44% in health care–the second lowest rate of all industries surveyed.
Health Care Needs a Security Perspective
Dirk Schrader, global vice president of security research at New Net Technologies (NNT), noted workflows and processes tend to evolve and expand by covering more digitalized devices and databases without the perspective of a security team being included.
“As health care is quite divided between service providers for radiology, specialty physicians working in several hospitals, etc., just to name a few, there is plenty of room for further mistakes in this evolution,” he said.
Schrader warned that recent stories about successful takedowns of ransomware groups might even increase the risk, as health care organizations lower their guard; assuming this risk is going to be mitigated on a different level.
“In no other sector is the dependency on IT systems and networks so tightly related to the life and death of a country’s population,” he said. “In what seems to be spoiled logic, this is also the reason why health care is a prime target, as the attackers consider these to have higher chances of resulting in a payment.”