The Latest Threat Hurting Healthcare Organizations: Ransomware

Photo credit: Depositphotos

By Joseph Carson, Chief Security Scientist (CSS) & Advisory CISO, ThycoticCentrify

The past year – especially during the height of the pandemic — has been particularly tough on the healthcare industry, which saw a surge in virus-related health cases and ransomware attacks. With the global pandemic already causing strain on health systems, opportunistic cybercriminals took advantage by routinely targeting hospitals, vaccine research labs, vaccine cold storage units, and delivery supply chains to hold critical and private patient data as ransom. 

According to a recent report, ransomware attacks cost U.S. healthcare organizations $20.8 billion in 2020, impacting more than 18 million patients and  accounting for a 470 percent increase in incidents from 2019. One of the most significant attacks in the sector last year was the Universal Health Services attack, which compromised more than 400 hospitals and care facilities across the US. The fallout of the incident wreaked havoc on ambulance routes, delayed patient treatment scheduling, rendered lab tests inaccessible, and compromised EHR for UHS-owned facilities across the country. Consequently, Universal Health Services reported reputational, productivity, morale, and financial losses of around $67 million in 2020.

Often, the best way to mitigate risk is to be proactive – although it is impossible to be 100% attack-proof – several key practices can better prepare healthcare organizations to minimize the risks of ransomware incidents moving forward. 

Create a Culture of Education and Awareness

The average healthcare worker is not suitably trained in cyber hygiene and best practices. In fact, it is reported that 61% of employees who have received cybersecurity training failed a basic test, proving that despite being trained, some security and IT professionals are inadequately equipped to follow and instill security practices. This inadequacy makes them easy prey for cybercriminals looking to access an organization’s networks quickly and easily via a phishing attack or clever social engineering. Ensuring that employees at every level are given sufficient training about how to identify malware-laced emails and other rudimentary attempts at credential theft can be a significant step to help reduce the success rate of an attack, or at least, raise the alarm. By normalizing training within the workplace culture, organizations can help maintain vigilance for these practices long term.

Patch Regularly and Upgrade Legacy Systems

A significant percentage of healthcare organizations still regularly use outdated operating systems or do not update firmware on connected medical devices for reasons including privacy and security concerns. This oversight creates another massive vulnerability, leaving the door wide open for bad actors to penetrate a health organization’s network undeterred. Healthcare facilities can minimize risk by regularly patching all connected devices when updates are available and implementing the latest version of a respective operating system to devices across the framework. This will help ensure organizations take advantage of the newest manufacturer security updates and controls.

Incorporate a Robust Privileged Access Solution

By ensuring that a comprehensive system for monitoring and controlling privileged access credentials is in place, healthcare organizations can significantly lower the success rate and risks of ransomware attacks. If attackers gain initial access to a network, they begin searching for paths to escalate their privileges to compromise a network and spread the attack. Privileged access management tools can slow that spread and keep ransomware contained at its inception point (e.g., a single endpoint or set of credentials).

Stronger Passwords and Multi-Factor Authentication

Although an incredibly low-tech solution to risk mitigation, simple passwords are the easiest method of compromising networks. Healthcare organizations must ensure their networks are protected with solutions that help move passwords into the background, such as privileged access security or password manager solutions. Subsequently, if a password is cracked, brute-forced, or sprayed, multi-factor authentication can plug the gap and help ensure unauthorized access to the network cannot happen as easily.

Boosting our Health Systems 

One of the biggest mistakes healthcare security professionals can make is to assume that other personnel and staff have the same understanding of good cyber hygiene as they do. On average, healthcare organizations that paid the ransom could only recover 69% of their data, leaving over a third inaccessible. By assuming that every individual is a potential walking vulnerability, security teams can better implement proactive measures and educational programs to keep staff — especially those with privileged access credentials — aware of various security risks that can happen at any time.

Healthcare organizations can look to security tools to enforce strong password use, multi-factor authentication (MFA) protocols, and privileged access credentials across all devices while also ensuring personally identifiable information (PII) and electronic health records (EHR) are stored securely. Additionally, preparing an effective incident response plan in the wake of a ransomware attack, as well as keeping backups of critical files securely stored off-site, and enforcing strong passwords and MFA protocols across connected devices are all crucial proactive measures to mitigate risk

Ultimately, until education, awareness, and strict security regulations universally render existing strategies obsolete, we will continue to see threats like spear-phishing, targeted attacks, Ransomware as a Service (RaaS), and social engineering as the weapon of choice by bad actors.