Jacob Olcott is a Vice President at BitSight Technologies, a cybersecurity ratings organization. He previously managed the cybersecurity consulting practice at Good Harbor Security Risk Management and served as counsel to John D. Rockefeller, IV, Chairman of the Senate Commerce Committee, and the House of Representatives Homeland Security Committee. Here, in an article originally published on Brink, he explains the threat of ransomware to healthcare organizations and how they can protect themselves from this malicious code:
The healthcare sector has increasingly been targeted by cybercriminals over the last few years, including hospitals and healthcare providers. Healthcare companies make ideal targets for cyber attacks, not only for the type of data that they manage, but also because these organizations may often lack advanced backup systems, cybersecurity training and sophisticated business resiliency plans commonly found at banks and other more mature financial services corporations.
For the criminals, the value of a healthcare record provides critical motive for their attacks; according to The Aberdeen Group, each record can go for as much as $500 per patient on the black market.
One devastating type of cyber attack that continues to plague healthcare organizations involves malicious code known as “ransomware.” Ransomware is malware that encrypts data on an organization’s network and demands a ransom from the victim in order to restore the data.
Ransomware attacks can begin with one seemingly benign email attachment that is opened by an employee. This action introduces malicious code into the network that encrypts and locks critical data (e.g. patient records, financial information or business documents). In return for the decryption key, hackers will demand payment, usually in the form of bitcoin.
Because many hospitals’ patient data is critical in life-or-death situations, most of the organizations decide to pay the ransom. This was the case earlier this year with Hollywood Presbyterian Medical Center, which chose to pay a $17,000 ransom to hackers who had locked some of the hospital’s critical data.
How can healthcare organizations improve their cybersecurity defenses? What specific lessons can they learn from other more advanced sectors? Researchers from Advisen and BitSight Technologies recently published a report, “Cyber Vulnerability: Where do you Stand?,” in which they analyzed the data security performance of three industries: Finance and Insurance, Healthcare and Social Assistance and Public Administration. The study found a high percentage of healthcare organizations with security ratings below a “basic” level (based on a BitSight Security Rating of less than 640). This indicates that a large number of healthcare organizations are challenged with malware events and malicious software. Almost 75 percent of the healthcare organizations examined in the study are still running systems vulnerable to FREAK, which could be exploited to expose private information like usernames and passwords.
The study additionally found a correlation between the services that some organizations run and the probability of experiencing a breach. For example, companies who run Postgres and expose it to the internet experience six times as many breaches as companies not running the service.
Over the years, healthcare companies have lagged behind other industries when it comes to cybersecurity performance. Healthcare companies have some of the lowest security ratings compared to the nine other industries in the Advisen/BitSight report. Tight budgets and small IT security teams could be driving this trend in security ratings; however, as the spotlight of data breaches shines on healthcare, the industry’s response to recent ransomware attacks could signal the need to shift how these organizations approach information security.
Shifting security priorities
Simply paying a ransom and expecting that the organization does not get breached again may prove to be a short-sighted approach to the ransomware problem. The FBI recently released recommendations for organizations who have been infected with this malicious code, advising organizations against paying the ransom.
Instead, organizations may consider raising the security awareness of employees via cybersecurity training to help employees identify suspicious emails and avoid opening malicious hyperlinks or attachments.
IT security teams may also want to upgrade their email protocols and update their SSL certificates to help protect the authenticity of email communications. Failing to perform routine system maintenance could expose organizations to cyber attacks. To address this gap, IT teams should regularly update their software and check for vulnerable services running on their networks. This extra step provides an added layer of protection against ransomware and other online threats. Federal agencies like the Department of Health and Human Services’ Office for Civil Rights (OCR) have provided additional guidance for healthcare organizations on how to prevent and react to a ransomware attack.
Because of the value of their data, healthcare organizations now recognize that they are a significant target for cybercriminals. Now they must take additional steps to protect their data and networks. Raising the performance bar—and seeking to match other high-performing industries like the financial sector—would represent a strong step by the healthcare sector in reducing risk to protected health information.