How Healthcare Organizations Can Tackle the Rise of Ransomware

By Brad Spannbauer, Senior Director of Product Management, eFax Corporate
Twitter: @eFaxCorporate

The healthcare industry is under constant threat from hacking and cyber-attacks. High volumes of valuable data, stored on systems with lapse security controls, make a welcoming proposition for data thieves. In 2017, healthcare data breaches occurred at a rate of more than one per day, totaling close to 500 in all. While in some respects this was a good year – in 2015 for example, there were more than 720 breaches, including the record-breaking Anthem breach which affected nearly 80 million people – there’s no escaping the fact that despite best efforts, healthcare organizations are repeatedly failing in their efforts to protect their data.

In fact, of all industries, healthcare was the most breached of all in 2017, accounting for a quarter (24%) of all recorded breaches. For context, the financial industry accounted for just 7% of breaches. Consequently, Personally Identifiable Information (PII) and Protected Health Information (PHI) was the most common type of data compromised in 2017, beating both payment card and banking details.

But, it’s not just the severity or volumes of data breaches that are changing year-to-year, it is the methods used by criminals to access the data, and the techniques used for monetizing such activities – gone are the days where selling banking details on the black market was the only way to make money from cyber crime. One of the biggest threats facing healthcare organizations today is ransomware; where an attacker gains unauthorized access to an organization’s network and blocks access to files and data by way of encryption, and continues to restrict access until a ransom is paid.

The eleventh edition of Verizon’s Data Breach Investigation Report (DIBR), revealed ransomware attacks are a growing problem, accounting for 85% of all healthcare data breaches involving malware in 2017. Beyond the major inconvenience of a ransomware attack, the payouts can be costly. According to an article in HealthIT Security, earlier this year, Indiana-based Hancock Health paid out $55,000 in bitcoin to recover access to more than 1,000 patient files that had been encrypted as part of a ransomware attack, known as SamSam. By cleverly targeting the hospital’s backup site, the attack left administrators with no other choice over a busy weekend at the peak of flu season, as doctors and nurses reverted to paper and pen to record patient visits.

Unlike most ransomware, that prays on the vulnerability of unsuspecting staff and is typically distributed via email, with SamSam, the attackers scan the web for unpatched server-side software and simply force their way in through weak credentials at the back door.

Taking action
In recognition of the dangers posed by SamSam and other ransomware attacks, the Department of Health and Human Services (HHS) issued a report in March warning organizations of the risks, as well as providing some mitigation tips to prevent attackers from gaining access to servers via remote desktop protocol connections (RDPs), including:

  • Restrict access behind firewalls and by using an RDP Gateway, VPNs
  • Use strong/unique username and passwords with two-factor authentication (2FA)
  • Limit users who can log in using remote desktop
  • Implement an account lockout policy to help thwart brute force attacks (set a maximum number of attempts before locking out the account)

RDPs aside, healthcare organizations need to ensure they are educating staff to recognize ransomware attempts across all potential entry points, namely email, which is consistently the most utilized point of access by ransomware attackers. The first step to maintaining secure email across a company should be regular staff training – including teaching staff to recognize phishing attempts, making them aware of malicious links and attachments, and encouraging them to create complex passwords that are difficult to guess – all of which make life more difficult for would be attackers. And don’t forget about outside vendors who may have access to critical systems. Be sure to turn off all default access settings (like “ADMIN” passwords) when installing new equipment and software.

Better still, upgrading legacy email systems to a secure alternative, such as cloud fax, allows employees to send and receive faxes via email and a secure portal from desktops, laptops and smartphones that utilizes sophisticated security protocols, for both transmitting and storing sensitive data. EHR providers can benefit from this technology too; through employing secure fax APIs that allow customers to exchange healthcare faxes, x-rays, images and other confidential documents too big for email right from the EHR platform.

The most worrying thing about ransomware is that it looks set to get worse before it gets better. In preying on the naivety of untrained staff and poorly protected backdoors or unpatched systems, ransomware attackers manage to find organizations’ biggest security gaps, and until a collective shift in mindset can be realized, they’ll continue to exploit these weaknesses.

By educating employees about the risks posed by email and ransomware attacks, and by providing the right secure workflow tools that allow them to carry out their jobs effectively, organizations can spend less time worrying about data breaches, and more time delivering a quality service to their customers or patients.