Health care is a critical national infrastructure along with sectors such as electricity and water. This creates an attractive target for cybercriminals who want to wreak havoc, such as what was seen in the recently aired winter finale of “Grey’s Anatomy” on the ABC Television Network.
The episode showcased a dramatic, worst-case scenario of cardiac monitors malfunctioning, medical records inaccessible and held hostage for a ransom, and all servers being aggressively hacked. However, the reality is that when a cyberattack occurs, medical devices and equipment connected to a hospital network can be taken over, tampered with and harmfully exploited. Health data is exceptionally valuable and is the most common type of cybertheft. As more devices and endpoints become connected, this can leave health systems massively vulnerable to more persistent threats on patients.
The WannaCry ransomware attack that struck on May 12 and quickly spread around the world was anything but routine. Heretofore, most ransomware attacks were initiated after a successful phishing effort; that wasn’t the case with WannaCry. Ransomware attacks are generally confined and targeted, but this one, to date, has hit more than 100,000 organizations in over 150 countries.
Download the Ransomware Response Guide from IBM INCIDENT RESPONSE SERVICES
Health Care and Ransomware: A Marriage Made in Hades
However, there is one aspect of this attack that may well become disturbingly routine: The targeting of hospitals and health care providers with ransomware onslaughts. What started as a few isolated ransomware attacks against health care organizations in 2015 grew to several more last year.
The widespread proliferation of WannaCry has only solidified ransomware as a formidable threat to the health care industry. This malware has hit several health care providers, none harder than the U.K.’s National Health Service, which had to decline outpatient visits on May 12. To a lesser extent, other organizations in India and China were among the targets.
Ransomware attacks in general are growing exponentially. More than 4,000 ransomware attacks occur daily in the U.S., and health care is the largest target, as reported by Healthcare IT News. Cybercriminals have clearly found a sweet spot in health care, with the industry now plagued by cyberattacks of a scope, severity and variety unimaginable even a few years ago. Such an unwanted relationship seems like a marriage made in Hades. This sharp increase is driven by the relatively low cost of launching most ransomware attacks and the great difficulty law enforcement faces in finding perpetrators.
Health Care: A Prime Target for Ransomware
There are several good reasons for ransomware attackers to target health care organizations. The most obvious is the mission-critical administrative and clinical systems within them. If those systems are compromised or rendered useless by ransomware encryption, the entire care delivery work processes can be interrupted, and patients will adversely suffer. The consequences are far different from a business that counts lost revenue when systems go down or are taken down. Faced with the choice of paying relatively little money in hopes of getting their systems back or facing possibly dire consequences, health care professionals often pay attackers when they fail to take adequate steps in anticipation of such an incident.
Second, health care organizations are still lagging in their adoption of data security solutions. In fact, a KPMG report found that hospitals invest as little as one-tenth the amount spent by other industries on data security. This is a real conundrum, given the high value of medical records and the fact that health care professionals need this data to continue serving patients. However, decision-makers in executive boards face hard choices for capital investment and can easily short-shift security spending in favor of revenue-producing investments, such as a new MRI device. Ransomware attackers are quickly becoming aware of such investment deficiencies.
Inadequate funding also means that health care organizations often have a relatively high volume of older infrastructure, including software. Moreover, many health care organizations find it challenging to maintain their critical infrastructure while ensuring no downtime for patching and data backup. Network segmentation, high availability and disaster recovery planning are key to protecting sensitive data. It was unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems that opened the door for WannaCry.
According to John Halamka, the noted chief information officer (CIO) of Boston’s Beth Israel Deaconess Medical Center, “Some mission critical systems were created years ago and never migrated to modern platforms. In 2017, there are still commercial products that require Windows XP, for which few patches are available.”
Despite these and other factors that make health care a prime target for ransomware attackers, U.S. organizations were largely spared the wrath of WannaCry, except for a few labs and users of certain medical devices. One reason is that the attack first unfolded in Europe before spreading elsewhere, giving U.S. organizations a bit more time to double down their defenses. Also, it appears that U.S. health organizations may have applied Microsoft patch MS17-010 more aggressively than did their international counterparts.
Minimizing the Threat of Ransomware
Now that the spread of WannaCry appears to have dissipated, security professionals must ask what they can do to mitigate ransomware.
IBM has been reaching out to clients and taking calls every day to make sure they know the steps to take to significantly minimize the threat of ransomware attacks. These steps include:
- Patching: All health care organizations should to be sure to patch the vulnerability right away. We use an automation tool, which has kept our customers pretty safe since the malware, in this case, needs an unpatched vulnerability. This is critical to stop the ransomware when it reactivates.
- Blocking: For any unpatched systems, blocking is the next line of defense. Health care organizations should ensure that all signatures are up to date on their antivirus systems and network blocking technologies.
- Monitoring: We’re getting accurate reads from our security operations centers (SOCs), which leverage deep security analytics and Watson, which can help detect these patterns emerging.
- Response: Organizations should consult with security advisers to devise an optimal response playbook that aligns with business processes and strict compliance requirements.
These steps are pragmatic and can be implemented in each facility, given the right skills and valid action plan. Had more organizations victimized by WannaCry followed these practices, fewer of them would have suffered severe damages or had to pay for the safe return of their data.
IBM published a comprehensive, free Ransomware Response Guide that is a good read for all CIOs, CISOs and others responsible for data security in health care. To learn more about the WannaCry outbreak, watch our series of on-demand webinars.
Health care organizations should use a holistic enterprise approach to implement their security strategy. IBM developed a health care security immune system to address the major pain points in the industry. Additionally, cognitive and augmented intelligence in the core of each enterprise security system has become essential to transform defense capabilities and help win the war on cybercrime.