Healthcare Ransomware: Protecting Your Patients and Your Network

by

June 30, 2020

Healthcare ransomware is not a new threat; healthcare industry organizations have been ransomware targets for decades. Did you know that the very first ransomware attack targeted the healthcare industry in 1989? Joseph Popp, a PHD, sent a very specific ransomware to AIDS researchers, distributing 20000 infected floppy discs (remember them?) across the globe. The diskettes, titled “AIDS Information: Introductory Diskettes” were given to the World Health Organization’s AIDS Conference attendees, who had no reason to assume the discs were anything but legitimate. The malware was not released immediately; the affected computers needed to be powered on 90 times before a ransomware message popped up. At that point, victims were instructed to pay $189 for the release of computer data, and another $378 for “software leases.” The payment was mailed to “PC Cyborg” in Panama, earning this healthcare ransomware the name “PC Cyborg virus,” alternately known as the AIDS Trojan.

Luckily, this first ransomware attack was easily decrypted without paying the ransom, although it was widespread and affected multiple networks across 90 countries.

Times have changed, though, and while leg warmers and cabbage patch dolls are no longer in fashion, ransomware certainly is.

What is Healthcare Ransomware, Anyway?

Imagine clicking through your email and seeing an interesting attachment your colleague sent you. It’s from your colleague, so why not click it?

Your system locks down, with a threatening message on your screen warning you that your files are encrypted and cannot be accessed. You must pay the hacker to release the key to unencrypt your files; this is the “ransom.”

Your organization has a limited playbook at this point. Pay the ransom, taking the chance that the hackers won’t leak sensitive data and that they will restore your files, or scrub the virus and use data backups to restore the data.

The fallout from a healthcare ransomware attack is devastating. This malware will not only lock your providers out of important information they need to treat patients, it will cause downtime and disruption to your everyday functions such as insurance billing and coding.

It can take weeks to recover from a ransomware attack, and some data can be permanently lost during the restoration process.

Just How Big of a Threat is Ransomware to My Healthcare Organization?

Here’s a few tidbits for you: 45% of ransomware targets the healthcare industry, and 85% of malware affecting the healthcare industry is ransomware.

Comparitech researchers estimate that since 2016, healthcare ransomware has cost at least 1500 victims over $160 million in recovery costs.  It’s predicted that these numbers are higher since many organizations will just pay the ransom and not report the incident to the public sector.

Since the end of 2019, ransomware targeting the healthcare industry has increased 350%, and a new strain of ransomware known as Zeppelin has been hitting healthcare third-party vendors to disrupt the supply chain. It’s estimated that over 750 providers were targeted in 2019 alone, with an average of $6.5 million in costs for each.

Why Are Healthcare Industries Ransomware Targets?

Since the majority of healthcare ransomware comes from phishing, email security is a top priority for organizations. Unfortunately, many healthcare organizations do not take the proper steps, such as spam filtering and email authentication, making them prime ransomware targets.

Take a minute to consider your own healthcare organization: how rigorous is your email security? A good spam filter and anti-malware platform can give you a few additional layers of security, especially if you blend it with basic cybersecurity training for all employees on your network.

Hackers Are Waiting to Sell Your Patients’ Data

You may not realize how valuable your patients’ data is to hackers. From financial and insurance information to social security numbers and dates of birth, your network contains many tasty snacks for a hungry hacker and his friends on the dark web.

The hackers don’t care if you pay the ransom or not. The data they have locked down is worth money to them either way.

HIPAA Violations

It’s not enough that your practice will take a reputational hit or that your bank account will feel the burn; HIPAA is lurking in the wings like the Phantom of the Opera.

By law, you must notify governmental agencies of any data breach. Rest assured; this isn’t so the agency can sympathize with your bad luck. HIPAA specifically outlines ransomware in its Security Rule, giving the very basic security measures your healthcare organization must meet to remain compliant. Healthcare organizational methods to avoid being ransomware targets are very clearly defined by HIPAA.

Reputational Loss

While a smaller scale breach can be kept from the public and reported only to the affected clients, HIPAA requires that any incident involving 500 persons or more must be reported to the media. History shows that customers of any industry will stop doing business with companies who have experienced a breach, so having to alert the media is bad news for your organization. Media warnings about ransomware targets are not well-received by your patients.

The Heavy Cost of HIPAA Violations

If your organization is found to be in violation of HIPAA healthcare ransomware requirements, the costs can add up quickly. The fines can range from $10,000 to $25,000 per violation. Your employees will be on the hook, too; accidentally negligent employee actions that result in HIPAA violations can cost the employee big bucks personally, from $100 to $25000. Willful negligence is a different story, with personal fines starting at $50,000 and, in some cases, jail time.

[sc name=”cta-healthcare1″]

Six Simple Healthcare Ransomware Protections Your Organization Can Take Now

Luckily, most healthcare ransomware requires active participation from an unwitting user. Protecting your network is ten percent tools, like anti-malware, ten percent vigilance, and eighty percent employee education.

1. Make Sure All Security Patches are Updated

Encourage your employees to install patches as soon as they are available.

2. Monitor the Network

Remember that some ransomware can fly under the radar for days, weeks and months before becoming obvious. Maintain and review event logs; look for signs of unusual activity including moved, deleted, or renamed files.

3. Rigorous Anti-Spam Solutions

Go for a spam filter that scans the entire body of the email along with the more obvious vulnerability spots such as the “from” or “subject” line.

4. Have a Plan in Place…Just in Case

Prepare for a ransomware attack. How good are your backups? How much can your organization spend on recovery? Who will you notify, and when? Do you have a clearly defined Business Continuity Plan?

5. Strong Password Requirements

Encourage employees to follow stringent password creation requirements. These should be at least eight characters including capital letters, numbers, and special characters. No personal information or organizational references should be in these passwords. Multi-factor identification will also increase your security.

6. Employee Training

This is the backbone of your defense. If an infected email slips past the spam filters, your employees should be trained to spot it and delete it without interacting with any attachment or suspicious requests for personal information. Cybersecurity awareness training should be a regular part of your annual continuing education plan for all providers and office staff.

(Want to learn more about malware? This guide takes you through the entire malware journey, including ways to spot it before it spreads, security solutions that aren’t really solutions at all, and a simple formula for creating a cybersecurity budget)

Healthcare Ransomware is a Real Threat

Hackers understand that healthcare organizations would be desperate to recover data locked down with malware. Your organization is at risk, no matter how small it may be. In fact, smaller organizations are less likely to have the resources and time to devote to maintaining proper defenses; a shortfall that cybercriminals know all too well and are eager to exploit, making healthcare organizations prime ransomware targets.

This is a great time to assess your cybersecurity plan. Is it rigorous enough to withstand evolving healthcare ransomware threats? What would you do if it happened to you? Are your backups complete and reliable, or would you have to pay the ransom and hope to get your files back? How much downtime can your healthcare organization withstand? Can you afford to pay the regulatory fines, either way? These are serious considerations in today’s cybersecurity landscape.

Iconic IT doesn’t believe in skimping on coverage for our clients. Unlike most MSPs that offer bare-bones services, we have plans as vast as the national parks they are named after. To us, anything else is underserving. We give you have the guidance and supplies you need, like a park ranger helping you through the forests and mountains of your IT issues and needs.

How prepared are you, really, if the unthinkable happens? Iconic IT is ready to help you assess the current state of your cybersecurity with a free, no risk, no-obligation consultation. We specialize in small to medium-sized healthcare organizations, just like yours, with a HIPAA seal of compliance and years of experience in protecting our clients who service our communities and loved ones. Contact us for your free consultation and see how we can help you keep helping others, no matter what.

We're Integris. We're always working to empower people through technology.

Keep reading

How to Run Governance on Your Security Awareness Training Program

How to Run Governance on Your Security Awareness Training Program

Has your company decided to take the plunge, and start a regular schedule of monthly online security awareness trainings for your employees? Great! You’ve just taken a big step toward hardening your cybersecurity defenses. Now what? Chances are, you’ve purchased a...

What Can Cybersecurity Awareness Training Do for My Company?

What Can Cybersecurity Awareness Training Do for My Company?

Global spending on employee cybersecurity awareness training is predicted to exceed $10 billion USD by 2027, up from around $5.6 billion USD in 2023, according to the latest estimates from Cybersecurity Ventures. Why? Because more companies than ever are realizing...