Health care is a critical national infrastructure along with sectors such as electricity and water. This creates an attractive target for cybercriminals who want to wreak havoc, such as what was seen in the recently aired winter finale of “Grey’s Anatomy” on the ABC Television Network.

The episode showcased a dramatic, worst-case scenario of cardiac monitors malfunctioning, medical records inaccessible and held hostage for a ransom, and all servers being aggressively hacked. However, the reality is that when a cyberattack occurs, medical devices and equipment connected to a hospital network can be taken over, tampered with and harmfully exploited. Health data is exceptionally valuable and is the most common type of cybertheft. As more devices and endpoints become connected, this can leave health systems massively vulnerable to more persistent threats on patients.

The WannaCry ransomware attack that struck on May 12 and quickly spread around the world was anything but routine. Heretofore, most ransomware attacks were initiated after a successful phishing effort; that wasn’t the case with WannaCry. Ransomware attacks are generally confined and targeted, but this one, to date, has hit more than 100,000 organizations in over 150 countries.

Download the Ransomware Response Guide from IBM INCIDENT RESPONSE SERVICES

Health Care and Ransomware: A Marriage Made in Hades

However, there is one aspect of this attack that may well become disturbingly routine: The targeting of hospitals and health care providers with ransomware onslaughts. What started as a few isolated ransomware attacks against health care organizations in 2015 grew to several more last year.

The widespread proliferation of WannaCry has only solidified ransomware as a formidable threat to the health care industry. This malware has hit several health care providers, none harder than the U.K.’s National Health Service, which had to decline outpatient visits on May 12. To a lesser extent, other organizations in India and China were among the targets.

Ransomware attacks in general are growing exponentially. More than 4,000 ransomware attacks occur daily in the U.S., and health care is the largest target, as reported by Healthcare IT News. Cybercriminals have clearly found a sweet spot in health care, with the industry now plagued by cyberattacks of a scope, severity and variety unimaginable even a few years ago. Such an unwanted relationship seems like a marriage made in Hades. This sharp increase is driven by the relatively low cost of launching most ransomware attacks and the great difficulty law enforcement faces in finding perpetrators.

Health Care: A Prime Target for Ransomware

There are several good reasons for ransomware attackers to target health care organizations. The most obvious is the mission-critical administrative and clinical systems within them. If those systems are compromised or rendered useless by ransomware encryption, the entire care delivery work processes can be interrupted, and patients will adversely suffer. The consequences are far different from a business that counts lost revenue when systems go down or are taken down. Faced with the choice of paying relatively little money in hopes of getting their systems back or facing possibly dire consequences, health care professionals often pay attackers when they fail to take adequate steps in anticipation of such an incident.

Second, health care organizations are still lagging in their adoption of data security solutions. In fact, a KPMG report found that hospitals invest as little as one-tenth the amount spent by other industries on data security. This is a real conundrum, given the high value of medical records and the fact that health care professionals need this data to continue serving patients. However, decision-makers in executive boards face hard choices for capital investment and can easily short-shift security spending in favor of revenue-producing investments, such as a new MRI device. Ransomware attackers are quickly becoming aware of such investment deficiencies.

Inadequate funding also means that health care organizations often have a relatively high volume of older infrastructure, including software. Moreover, many health care organizations find it challenging to maintain their critical infrastructure while ensuring no downtime for patching and data backup. Network segmentation, high availability and disaster recovery planning are key to protecting sensitive data. It was unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems that opened the door for WannaCry.

According to John Halamka, the noted chief information officer (CIO) of Boston’s Beth Israel Deaconess Medical Center, “Some mission critical systems were created years ago and never migrated to modern platforms. In 2017, there are still commercial products that require Windows XP, for which few patches are available.”

Despite these and other factors that make health care a prime target for ransomware attackers, U.S. organizations were largely spared the wrath of WannaCry, except for a few labs and users of certain medical devices. One reason is that the attack first unfolded in Europe before spreading elsewhere, giving U.S. organizations a bit more time to double down their defenses. Also, it appears that U.S. health organizations may have applied Microsoft patch MS17-010 more aggressively than did their international counterparts.

Minimizing the Threat of Ransomware

Now that the spread of WannaCry appears to have dissipated, security professionals must ask what they can do to mitigate ransomware.

IBM has been reaching out to clients and taking calls every day to make sure they know the steps to take to significantly minimize the threat of ransomware attacks. These steps include:

  • Patching: All health care organizations should to be sure to patch the vulnerability right away. We use an automation tool, which has kept our customers pretty safe since the malware, in this case, needs an unpatched vulnerability. This is critical to stop the ransomware when it reactivates.
  • Blocking: For any unpatched systems, blocking is the next line of defense. Health care organizations should ensure that all signatures are up to date on their antivirus systems and network blocking technologies.
  • Monitoring: We’re getting accurate reads from our security operations centers (SOCs), which leverage deep security analytics and Watson, which can help detect these patterns emerging.
  • Response: Organizations should consult with security advisers to devise an optimal response playbook that aligns with business processes and strict compliance requirements.

These steps are pragmatic and can be implemented in each facility, given the right skills and valid action plan. Had more organizations victimized by WannaCry followed these practices, fewer of them would have suffered severe damages or had to pay for the safe return of their data.

Learn More

IBM published a comprehensive, free Ransomware Response Guide that is a good read for all CIOs, CISOs and others responsible for data security in health care. To learn more about the WannaCry outbreak, watch our series of on-demand webinars.

Health care organizations should use a holistic enterprise approach to implement their security strategy. IBM developed a health care security immune system to address the major pain points in the industry. Additionally, cognitive and augmented intelligence in the core of each enterprise security system has become essential to transform defense capabilities and help win the war on cybercrime.

More from CISO

Bridging the 3.4 Million Workforce Gap in Cybersecurity

As new cybersecurity threats continue to loom, the industry is running short of workers to face them. The 2022 (ISC)2 Cybersecurity Workforce Study identified a 3.4 million worldwide cybersecurity worker gap; the total existing workforce is estimated at 4.7 million. Yet despite adding workers this past year, that gap continued to widen.Nearly 12,000 participants in that study felt that additional staff would have a hugely positive impact on their ability to perform their duties. More hires would boost proper risk…

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks. However, while many organizations don't question the value of a CISO, there should be more debate over who this important role…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…