Health care’s ransomware threat
Industry faces significant risk from ransomware
While other regulated industries have been investing in cybersecurity defense technologies and strategies, health care organizations, due to tight IT budgets, have missed the boat, leaving the industry ill-prepared to handle cyberattacks and making them an easy target for cybercriminals.
According to ABI Research, health care organizations spend very little on cybersecurity, compared to other regulated industries. Their report claims that cybersecurity spending for health care protection will only reach $10 billion globally by 2020 and that less than 10 percent of that spending will be from the health care industry itself.
The threat is real. Last year, the Health Information Trust Alliance conducted a study of some 30 mid-sized U.S. hospitals and found that 52 percent were infected with malicious software. The most common type of malware was ransomware, which was present in 35 percent of the hospitals included in the study.
Over the last several months, there has been a steady stream of attacks on the health care industry, leaving executives with no option but to pay up to end ransomware threats, or fall victim to a major security breach and the resulting media scandals that would follow.
Hollywood Presbyterian Medical Center in Los Angeles agreed to pay a $17,000 ransom, after its systems were held hostage for more than a week. Others facing the same dilemma included MedStar Health in Washington, D.C., King’s Daughters’ Health in Indiana, Methodist Hospital in Kentucky and Chino Valley and Desert Valley Hospitals in southern California.
If you work in the health care industry or are a business associate, here are four measures your organization should take to mitigate your risk:
• Implement a sound backup and recovery strategy: This is the single most important thing you can do to recover sensitive data encrypted by ransomware. Ensure you have good backups in addition to well thought-out recovery plans. Proper backups help you to access the latest version of encrypted files, however if you don’t understand what it takes to recover them, you could wait days or even weeks before you’re able to access your data. Also, don’t let those plans sit on the shelf gathering dust. Test your plans annually as your backup and recovery requirements may change over time.
• Keep up to date with antivirus and patching: In order to avoid many known ransomware infections, be sure to have a current antivirus application installed that is continuously being updated with the latest virus definition files. In addition, actively managing and keeping up-to-date on patching is critical. Confirm that your desktops and servers have the latest vendor patches as well as software patches for applications such as Microsoft Office, Java, Adobe Flash and Adobe Reader. Also make sure they are not running unsupported operating systems like Windows XP or Windows Server 2003.
• Strengthen your human firewall: Even with the best technologies in place, human error accounts for 95 percent of all successful attacks. Since an organization’s biggest security risk is the employee, security awareness training is a critical layer in your organization’s cybersecurity strategy. In fact, HIPAA/HITECH regulations require employee training, since it has been proven to significantly reduce risk of an attack.
Security awareness training should be conducted annually and reinforced with periodic email phishing tests. Training in safe internet practices helps employees keep up-to-date on the latest scams and be vigilant about opening attachments or clicking on links from unknown sources.
• Work with well-equipped cybersecurity vendors: In addition to employing skilled internal experts, consider consulting with external teams that have far-reaching cybersecurity expertise and knowledge. Today, it takes more than a single product to prevent attacks, and effective cybersecurity requires a multi-layered technology defense strategy to ensure that more safety nets are built into your network.
Unfortunately, ransomware attacks are here to stay and cybercriminals will continue to target organizations that are easy prey. This presents a dilemma for health executives. Either they’ll be forced to pay up or risk compromising patient privacy and the organization’s reputation.
Ultimately, cybersecurity needs to become a priority and that responsibility rests squarely on the leadership of America’s health care industry.
Mark Benton, a product manager at Maine-based Systems Engineering, can be reached 603-226-0300 or through syseng.com.