Ransomware and Health Care: There’s More at Risk Than Just Money

Although they still target medical records, cybercriminals are quickly realizing there is fast money to be made not just in stealing health care data, but also in shutting down hospitals completely and then waiting to be paid.

With ransomware, there’s more at risk than just money. Patient safety, reputation and the rising costs of potential fines are pushing health care organizations to take a fresh look at their security programs and make the required investments to prevent ransomware attacks.

Thanks to strapped budgets, planning protection, prevention and emergency response for critical IT systems is not all that different than planning for a potential physical medical emergency.

Health Care Data Under Attack

In a prepared statement, Jocelyn Samuels, Director of the HHS Office for Civil Rights, said: “One of the biggest current threats to health information privacy is the serious compromise of the integrity and availability of data caused by malicious cyberattacks on electronic health information systems, such as through ransomware.”

Prevention and protection are essential, since paying cybercriminals doesn’t always guarantee getting your information back. Researchers have discovered a ransomware variant that just deletes your files even if you pay, Dark Reading reported.

The health care industry continues to undergo significant changes in security risk, driven by rapid digitization, changing patient expectations, regulatory pressures from Health Insurance Portability and Accountability Act (HIPAA) and limited budgets.

Numbers Don’t Lie

Health care breaches, once in the top 10, have moved to No. 1 in terms of the number of records compromised. These breaches represent a big payoff for cybercriminals, according to the 2016 IBM X-Force Cyber Security Intelligence Index. Considering a stolen medical record is worth more than 10 times a stolen credit card, it’s easy to see why health care is a prime target.

Health care record theft is up 1,100 percent this past year, with more than 100 million records compromised worldwide, according to X-Force research. Stated another way, every third person had a health care record compromised in 2015.

In addition, health care security spending is at times as little as one-tenth what other industries spend, a KPMG study found. With limited technical staff, the need for easy physician and patient access, and an infrastructure that by nature has to include integrated components from multiple vendors, health care is an easy target for cybercrime.

Ransomware and Health Care: An Unhealthy Combination

Even though medical records contain rich personal health information (PHI) that can be sold for high value, cybercriminals are discovering they can get faster payment through ransomware. Unlike stolen medical records that take time to acquire and commoditize, ransomware locks health care out of critical systems and demands payment or action immediately.

Although ransomware has been around more than 10 years, its recent rise in health care is significant since physicians are so dependent on critical, real-time patient data such as scheduling, lab results and pharmacy orders.

Without access to computerized patient data, many hospitals and clinics are frozen in their tracks. Unlike other industries where access to data is not as time critical, being locked out of patient data could be life threatening. Data criticality and limited cybersecurity programs make health care a prime target for ransomware, and this risk will continue to increase.

Download the complete Ransomware Response Guide from IBM Incident Response Services

Common Tactics

In a ransomware attack, how do cybercriminals attack health care infrastructure, encrypt data and then demand payment to recover access?

Although the standard vector is malicious email attachments — the most common being Word documents, Adobe files, archives and JavaScript — other vectors include links to booby-trapped websites, compromised websites, malicious web ads, malware links in social networking posts and unpatched versions of Microsoft Office and Adobe Reader or Flash.

According to IBM X-Force data, 28 percent of overall vulnerability disclosures in 2015 targeted web applications. Once an organization is infected, the data can be encrypted, with the cybercriminals willing to swap decryption key for untraceable bitcoin.

Ransomware on the Rise

So why is ransomware on the rise in health care? A recent survey carried out by the University of Kent found that 41 percent of respondents hit by this type of malware paid the ransom. Each payment encourages future attackers to do the same thing. Ransomware takes less time and effort compared to stealing medical records, so the cost/benefit is favorable for cybercriminals.

There have been at least eight hospitals already hit in 2016, and these are only the subset that have reported a compromise to the press. The CryptoLocker strain of ransomware alone stole some $27 million in just six months from those organizations whose data was taken hostage.

The FBI reported that incidents of ransomware are on the rise. One of the biggest problems is that simply paying the ransom doesn’t always fix the issue. Some hospitals that paid the ransom were more than disappointed when the cybercriminals came back and demanded additional payments.

The problem is even bigger than previously reported. According to Reuters, “the Health Information Trust Alliance conducted a study of some 30 midsized U.S. hospitals late last year and found that 52 percent of them were infected with malicious software,” which is a vector for ransomware attacks.

Prevention and Protection

The standard ransomware process follows three common steps: infection, execution and payoff.

Although one option is paying the ransom, it is far better not to be attacked in the first place, especially with new ransomware versions that just delete your data regardless of payment.

Prevention is the key! To implement an effective prevention and protection strategy, you should:

  • Train users about the risk.
  • Implement consistent data backups.
  • Block executable attachments.
  • Keep systems patched (especially J-Boss web servers, which are common in health care).
  • Keep antivirus solutions updated.

The IBM X-Force Incident Response Service’s white paper, “Ransomware Response Guide,” provides additional preventative and containment measures.

Although user training, investment in preparedness, and implementation of key security controls and practices will not guarantee the prevention of an attempted breach, it will make it much more difficult for those who wish to target your organization, your patients and your staff.

Watch the on-demand webinar to learn more about digital extortion and how to respond

Share this Article:
Michael Ash

Associate Partner, Security Strategy Risk & Compliance, IBM

With more than 25 years of technical expertise, Dr. Mike Ash has experience in all phases of complex information systems lifecycle and product management. He is currently an Associate Partner in IBM’s Security Strategy Risk and Compliance group. Specializing in healthcare cybersecurity for North America, in both healthcare and pharma. During his career, he has led large-scale network and application development teams leveraging business, clinical, and technical expertise. He has functioned as a Solution Architect and Project Manager for varied IT and software development projects in the U.S. as well as Asia, and EMEA, developing markets in various verticals. He has experience in multiple standards including: NIST, ISO, HIPAA, FISMA, and FedRAMP. Mike leveraged his healthcare and system engineering expertise to solve complex problems in the medical and pharmaceutical space.