Although they still target medical records, cybercriminals are quickly realizing there is fast money to be made not just in stealing health care data, but also in shutting down hospitals completely and then waiting to be paid.

With ransomware, there’s more at risk than just money. Patient safety, reputation and the rising costs of potential fines are pushing health care organizations to take a fresh look at their security programs and make the required investments to prevent ransomware attacks.

Thanks to strapped budgets, planning protection, prevention and emergency response for critical IT systems is not all that different than planning for a potential physical medical emergency.

Health Care Data Under Attack

In a prepared statement, Jocelyn Samuels, Director of the HHS Office for Civil Rights, said: “One of the biggest current threats to health information privacy is the serious compromise of the integrity and availability of data caused by malicious cyberattacks on electronic health information systems, such as through ransomware.”

Prevention and protection are essential, since paying cybercriminals doesn’t always guarantee getting your information back. Researchers have discovered a ransomware variant that just deletes your files even if you pay, Dark Reading reported.

The health care industry continues to undergo significant changes in security risk, driven by rapid digitization, changing patient expectations, regulatory pressures from Health Insurance Portability and Accountability Act (HIPAA) and limited budgets.

Numbers Don’t Lie

Health care breaches, once in the top 10, have moved to No. 1 in terms of the number of records compromised. These breaches represent a big payoff for cybercriminals, according to the 2016 IBM X-Force Cyber Security Intelligence Index. Considering a stolen medical record is worth more than 10 times a stolen credit card, it’s easy to see why health care is a prime target.

Health care record theft is up 1,100 percent this past year, with more than 100 million records compromised worldwide, according to X-Force research. Stated another way, every third person had a health care record compromised in 2015.

In addition, health care security spending is at times as little as one-tenth what other industries spend, a KPMG study found. With limited technical staff, the need for easy physician and patient access, and an infrastructure that by nature has to include integrated components from multiple vendors, health care is an easy target for cybercrime.

Ransomware and Health Care: An Unhealthy Combination

Even though medical records contain rich personal health information (PHI) that can be sold for high value, cybercriminals are discovering they can get faster payment through ransomware. Unlike stolen medical records that take time to acquire and commoditize, ransomware locks health care out of critical systems and demands payment or action immediately.

Although ransomware has been around more than 10 years, its recent rise in health care is significant since physicians are so dependent on critical, real-time patient data such as scheduling, lab results and pharmacy orders.

Without access to computerized patient data, many hospitals and clinics are frozen in their tracks. Unlike other industries where access to data is not as time critical, being locked out of patient data could be life threatening. Data criticality and limited cybersecurity programs make health care a prime target for ransomware, and this risk will continue to increase.

Download the complete Ransomware Response Guide from IBM Incident Response Services

Common Tactics

In a ransomware attack, how do cybercriminals attack health care infrastructure, encrypt data and then demand payment to recover access?

Although the standard vector is malicious email attachments — the most common being Word documents, Adobe files, archives and JavaScript — other vectors include links to booby-trapped websites, compromised websites, malicious web ads, malware links in social networking posts and unpatched versions of Microsoft Office and Adobe Reader or Flash.

According to IBM X-Force data, 28 percent of overall vulnerability disclosures in 2015 targeted web applications. Once an organization is infected, the data can be encrypted, with the cybercriminals willing to swap decryption key for untraceable bitcoin.

Ransomware on the Rise

So why is ransomware on the rise in health care? A recent survey carried out by the University of Kent found that 41 percent of respondents hit by this type of malware paid the ransom. Each payment encourages future attackers to do the same thing. Ransomware takes less time and effort compared to stealing medical records, so the cost/benefit is favorable for cybercriminals.

There have been at least eight hospitals already hit in 2016, and these are only the subset that have reported a compromise to the press. The CryptoLocker strain of ransomware alone stole some $27 million in just six months from those organizations whose data was taken hostage.

The FBI reported that incidents of ransomware are on the rise. One of the biggest problems is that simply paying the ransom doesn’t always fix the issue. Some hospitals that paid the ransom were more than disappointed when the cybercriminals came back and demanded additional payments.

The problem is even bigger than previously reported. According to Reuters, “the Health Information Trust Alliance conducted a study of some 30 midsized U.S. hospitals late last year and found that 52 percent of them were infected with malicious software,” which is a vector for ransomware attacks.

Prevention and Protection

The standard ransomware process follows three common steps: infection, execution and payoff.

Although one option is paying the ransom, it is far better not to be attacked in the first place, especially with new ransomware versions that just delete your data regardless of payment.

Prevention is the key! To implement an effective prevention and protection strategy, you should:

  • Train users about the risk.
  • Implement consistent data backups.
  • Block executable attachments.
  • Keep systems patched (especially J-Boss web servers, which are common in health care).
  • Keep antivirus solutions updated.

The IBM X-Force Incident Response Service’s white paper, “Ransomware Response Guide,” provides additional preventative and containment measures.

Although user training, investment in preparedness, and implementation of key security controls and practices will not guarantee the prevention of an attempted breach, it will make it much more difficult for those who wish to target your organization, your patients and your staff.

Watch the on-demand webinar to learn more about digital extortion and how to respond

More from Data Protection

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…

Millions Lost in Minutes — Mitigating Public-Facing Attacks

In recent years, many high-profile companies have suffered destructive cybersecurity breaches. These public-facing assaults cost organizations millions of dollars in minutes, from stock prices to media partnerships. Fast Company, Rockstar, Uber, Apple and more have all been victims of these costly and embarrassing attacks. The total average cost of a data breach has increased by 2.6% since 2021 and is now $4.35 million. Organizations that don't deploy zero trust security models also incur an average of $1 million more in…

How the Mac OS X Trojan Flashback Changed Cybersecurity

Not so long ago, the Mac was thought to be impervious to viruses. In fact, Apple once stated on its website that "it doesn't get PC viruses". But that was before the Mac OS X Trojan Flashback malware appeared in 2012. Since then, Mac and iPhone security issues have changed dramatically — and so has the security of the entire world. In this post, we'll revisit how the Flashback incident unfolded and how it changed the security landscape forever. What…