Recently, ransomware has been all over the news, with high-profile cases attracting more and more attention. And although ransomware can affect anyone, healthcare providers face dangers few other industries must cope with.
When hospitals, 911-call centers, and long-term care facilities are hit, the health and lives of patients are put on the line.
Making matters worse, strict privacy laws protecting patients also place added burdens on healthcare organizations. This happens when attackers export patient data – and most attackers will.
Not only do providers suffer potential HIPAA violations, but ransomware attackers are now adding additional pressure by notifying patients that their data may be leaked.
The victims of these attacks can find themselves struggling for weeks to restore their systems, and even paying ransom demands might not help. Healthcare IT managers need to stay informed and monitor their systems for signs of attack to prevent becoming the next victim.
FBI Flash Alert for Healthcare Providers
Ransomware attacks surged in 2020, and yet the first half of 2021 is already 102% higher. To counter this trend, the FBI issued a flash alert on May 20 to warn medical providers about Conti ransomware.
In the last year, Conti malware struck at least 16 healthcare providers, including 911 dispatchers and emergency medical services providers. Their attacks reinforce a 2019 trend that saw people outside an organization surpass insiders (both intentional and accidental) as the primary cause of healthcare data breaches.
Out of 472 confirmed breaches in 2020, 86% were caused by external attackers. Their primary attack? Ransomware.
Because healthcare networks tend to maintain legacy devices that can’t be fully upgraded, researchers note that these older systems remain vulnerable to many forms of attack.
Notable Healthcare Victims
At the beginning of May, San Diego-based Scripps Health suffered a network outage caused by a ransomware attack.
Nearly a month later, the organization is still struggling to return online, while their Electronic Health Records system remains partially out of action.
CEO Chris Van Gorder admits they may not be fully recovered, but also refuses to provide any specifics about the ransomware. But this refusal is born of necessity, not embarrassment. In addition to the initial attack, others are sending scam emails to Scripps Health, also demanding ransom payments.
Such actions magnify an already painful situation.
On the other side of the Pacific, New Zealand’s Waikato District Health Board experienced a complete outage of its IT system. Although they have been able to maintain clinics and acute surgeries, some patients needed to be rerouted to other healthcare providers.
To further the extortion attempt, attackers even began releasing patient information to the media. Thankfully, the media refused to publish the information.
New Zealand’s Privacy Commissioner subsequently warned that any healthcare provider without adequate security levels could be prosecuted.
Eroding Safety Nets
Organizations hoping to simply pay a ransom demand could be in for a rude surprise.
Not only do some decryptors fail to work, many recent victims have found the decryption so slow they had to resort to backups anyway.
In mid-May, the national healthcare system of Ireland, found themselves struck by the Conti ransomware gang. Apparently second-guessing what they had done, the attackers released a free decryptor and apologized for targeting a government agency.
However, the damage was already done. The decryptor was too slow to be of practical use.
However, poor decryptors may soon be joined by a more direct financial headache. Insurers are rethinking how they offer cyberinsurance policies.
Although the FBI and other global law enforcement agencies discourage ransomware payments, many companies still feel compelled to pay up. Often, they use cyberinsurance policies to cover the costs.
But the sharp increase in ransom demands over the past few years has had consequences – most insurers are increasing their prices by 10-30%.
American International Group, Inc. now requires a 50% co-insurance for companies that fail to maintain appropriate security measures. Additionally, Marsh LLC notes a “sharp pivot in underwriting strategies” to identify risks and vulnerabilities in their customers.
As the cybersecurity insurance market matures, companies could be forced to upgrade their security in order to retain coverage.
Vigilance and Maintenance
Attacks continue to rise, leaving healthcare as a vulnerable target. When attackers succeed, both the organization and their patients suffer.
Fortunately, it is possible to counter attackers through strong IT fundamentals. Critical bugs such as the one VMware recently patched must constantly be strengthened and fixed.
Monitoring systems for attack, network isolation of vulnerable legacy systems, and prompt patching of new vulnerabilities limit the opportunities and the effectiveness of attackers.
Call 412-349-6680 or fill out the form below to let us know how we can help your organization meet its IT and security goals.