Although they still target medical records, cybercriminals are quickly realizing there is fast money to be made not just in stealing health care data, but also in shutting down hospitals completely and then waiting to be paid.

With ransomware, there’s more at risk than just money. Patient safety, reputation and the rising costs of potential fines are pushing health care organizations to take a fresh look at their security programs and make the required investments to prevent ransomware attacks.

Thanks to strapped budgets, planning protection, prevention and emergency response for critical IT systems is not all that different than planning for a potential physical medical emergency.

Health Care Data Under Attack

In a prepared statement, Jocelyn Samuels, Director of the HHS Office for Civil Rights, said: “One of the biggest current threats to health information privacy is the serious compromise of the integrity and availability of data caused by malicious cyberattacks on electronic health information systems, such as through ransomware.”

Prevention and protection are essential, since paying cybercriminals doesn’t always guarantee getting your information back. Researchers have discovered a ransomware variant that just deletes your files even if you pay, Dark Reading reported.

The health care industry continues to undergo significant changes in security risk, driven by rapid digitization, changing patient expectations, regulatory pressures from Health Insurance Portability and Accountability Act (HIPAA) and limited budgets.

Numbers Don’t Lie

Health care breaches, once in the top 10, have moved to No. 1 in terms of the number of records compromised. These breaches represent a big payoff for cybercriminals, according to the 2016 IBM X-Force Cyber Security Intelligence Index. Considering a stolen medical record is worth more than 10 times a stolen credit card, it’s easy to see why health care is a prime target.

Health care record theft is up 1,100 percent this past year, with more than 100 million records compromised worldwide, according to X-Force research. Stated another way, every third person had a health care record compromised in 2015.

In addition, health care security spending is at times as little as one-tenth what other industries spend, a KPMG study found. With limited technical staff, the need for easy physician and patient access, and an infrastructure that by nature has to include integrated components from multiple vendors, health care is an easy target for cybercrime.

Ransomware and Health Care: An Unhealthy Combination

Even though medical records contain rich personal health information (PHI) that can be sold for high value, cybercriminals are discovering they can get faster payment through ransomware. Unlike stolen medical records that take time to acquire and commoditize, ransomware locks health care out of critical systems and demands payment or action immediately.

Although ransomware has been around more than 10 years, its recent rise in health care is significant since physicians are so dependent on critical, real-time patient data such as scheduling, lab results and pharmacy orders.

Without access to computerized patient data, many hospitals and clinics are frozen in their tracks. Unlike other industries where access to data is not as time critical, being locked out of patient data could be life threatening. Data criticality and limited cybersecurity programs make health care a prime target for ransomware, and this risk will continue to increase.

Download the complete Ransomware Response Guide from IBM Incident Response Services

Common Tactics

In a ransomware attack, how do cybercriminals attack health care infrastructure, encrypt data and then demand payment to recover access?

Although the standard vector is malicious email attachments — the most common being Word documents, Adobe files, archives and JavaScript — other vectors include links to booby-trapped websites, compromised websites, malicious web ads, malware links in social networking posts and unpatched versions of Microsoft Office and Adobe Reader or Flash.

According to IBM X-Force data, 28 percent of overall vulnerability disclosures in 2015 targeted web applications. Once an organization is infected, the data can be encrypted, with the cybercriminals willing to swap decryption key for untraceable bitcoin.

Ransomware on the Rise

So why is ransomware on the rise in health care? A recent survey carried out by the University of Kent found that 41 percent of respondents hit by this type of malware paid the ransom. Each payment encourages future attackers to do the same thing. Ransomware takes less time and effort compared to stealing medical records, so the cost/benefit is favorable for cybercriminals.

There have been at least eight hospitals already hit in 2016, and these are only the subset that have reported a compromise to the press. The CryptoLocker strain of ransomware alone stole some $27 million in just six months from those organizations whose data was taken hostage.

The FBI reported that incidents of ransomware are on the rise. One of the biggest problems is that simply paying the ransom doesn’t always fix the issue. Some hospitals that paid the ransom were more than disappointed when the cybercriminals came back and demanded additional payments.

The problem is even bigger than previously reported. According to Reuters, “the Health Information Trust Alliance conducted a study of some 30 midsized U.S. hospitals late last year and found that 52 percent of them were infected with malicious software,” which is a vector for ransomware attacks.

Prevention and Protection

The standard ransomware process follows three common steps: infection, execution and payoff.

Although one option is paying the ransom, it is far better not to be attacked in the first place, especially with new ransomware versions that just delete your data regardless of payment.

Prevention is the key! To implement an effective prevention and protection strategy, you should:

  • Train users about the risk.
  • Implement consistent data backups.
  • Block executable attachments.
  • Keep systems patched (especially J-Boss web servers, which are common in health care).
  • Keep antivirus solutions updated.

The IBM X-Force Incident Response Service’s white paper, “Ransomware Response Guide,” provides additional preventative and containment measures.

Although user training, investment in preparedness, and implementation of key security controls and practices will not guarantee the prevention of an attempted breach, it will make it much more difficult for those who wish to target your organization, your patients and your staff.

Watch the on-demand webinar to learn more about digital extortion and how to respond

More from Healthcare

Cost of a data breach 2023: Healthcare industry impacts

3 min read - Data breaches are becoming more costly across all industries, with healthcare in the lead. The 2023 Cost of a Data Breach Report analyzes data collected from March 2022 to March 2023. Healthcare remains a top target for online criminal groups. These data breach costs are the highest of any industry and have increased for the 13th consecutive year. Healthcare is a highly regulated industry that the U.S. government considers critical infrastructure. As such, recent federal privacy standards, security standards and…

Cyberattackers target the Latin American health care sector

3 min read - Cyberattacks on the healthcare sector are a growing threat in Latin America, and the large amount of confidential data these organizations handle makes these attacks a top concern. The value of healthcare data in the illegal market, such as the personal, medical and financial information of patients and healthcare companies, creates an appealing target for threat actors. This can have serious consequences for the privacy and information security of these organizations. Cyberattacks could lead to reputational risks, interruption of operations,…

Increasingly sophisticated cyberattacks target healthcare

4 min read - It’s rare to see 100% agreement on a survey. But Porter Research found consensus from business leaders across the provider, payer and pharmaceutical/life sciences industries. Every single person agreed that “growing hacker sophistication” is the primary driver behind the increase in ransomware attacks. In response to the findings, the American Hospital Association told Porter Research, “Not only are cyber criminals more organized than they were in the past, but they are often more skilled and sophisticated.” Although not unanimous, the…

Reporting healthcare cyber incidents under new CIRCIA rules

4 min read - Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022. While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today