Cybercriminals and the healthcare industry. Your life in their hands?
There’s been a major traffic collision involving multiple vehicles.
Ambulances are converging on a city general hospital with seriously injured patients fighting for their lives in the back of the emergency units.
The crews are trying to relay information to the ER to prepare for their arrival with the wounded victims. But there’s a problem.
Systems are down. Patient records can’t be accessed. Personnel details are unavailable so the hospital can’t co-ordinate the specialists required for theatre. They can’t even see which theatres are available.
In the middle of this emergency, a ransomware attack has locked down the IT infrastructure and shut the hospital out of its mission critical systems.
A decision is made to re-route the ambulances to a different hospital further away, which may have tragic consequences in a situation where every second counts.
Why is the healthcare sector vulnerable to cyberattack?
The situation I’ve just described is fictional but based on fact. Healthcare institutions are uniquely vulnerable to cybersecurity attacks for very obvious reasons. The widespread deployment of technology in almost every aspect of medicine and healthcare means that disrupting access to frontline IT systems could literally be a matter of life and death. And at least one study by Vanderbilt University has suggested subsequent mortality rates could be higher after a ransomware attack*.
Not only that, but the nature of our relationship with our healthcare providers means that they possess some of the most personal and private information about their clients and patients. Such knowledge could potentially be put to all kinds of nefarious uses in the wrong hands. This makes unauthorised data breaches and the sharing of personal information a serious matter both for individuals and society at large, as well as financially burdensome for the institution in terms of fines and potential lawsuits.
All of which places the healthcare sector in the front line against the almost relentless assault of ransomware.
The cost of ransomware
One study from Emisoft** shows that over 750 health care providers were targeted in 2019 in the US alone. And another US-focused report, from Black Book Research***, reveals that:
- The average cost of a ransomware attack in healthcare is $423 per patient record in 2019.
- US healthcare data breaches cost the industry $4 Billion in 2019.
- Over 93% of healthcare organisations have experienced a data breach since Q3 2016 and 57% have had more than five data breaches during the same timeframe.
- Only 1.5% of physician groups with over ten clinicians in the practice report having a dedicated Chief of Information Security Officer.
Of course, it’s not just US healthcare that faces these challenges. The notorious WannaCry virus in 2017 badly disrupted nationwide services in the UK’s NHS. Even more recently, medical staff at the University Hospital Centre in Rouen were forced to abandon PCs as ransomware had made them unusable, reverting instead to the old-fashioned method of paper and pencil.
Part of the reason for this is budget. Financial constraints have prevented organisations replacing useful legacy software and older devices, leaving them more susceptible to attacks. Another cause is staffing. While large units may have significant in-house IT resources, this is usually not the case for smaller healthcare providers, and many hospitals, large or small, do not have a dedicated IT Security Executive.
So what can hospitals, medical centres, dentists and other healthcare providers do to guard against the threat of cyberattack? Here is a simple five-point plan that will go a long way to helping healthcare professionals secure their defences.
A plan for guarding against ransomware in the healthcare sector
- Make sure that (as far as possible) servers and PCs are up to date with the latest operating systems and antivirus solutions.
- If not, and in the wake of Windows 7 support coming to an end, consider if older machines (which you might not be able to update or support any more), could be replaced or retired. The cost and inconvenience will probably be less than the impact of a cybersecurity breach.
- Perhaps more so than in other sectors, a straightforward step is education: making sure everyone in the organisation, not just in IT, is familiar with ransomware methods and can recognise phishing attempts to gain password credentials or circulate harmful links and attachments. Hospitals employ so many different and diverse professionals, covering a multitude of functions, that there needs to be a culture of vigilance across the entire organisation. For that reason, a dedicated IT Security Executive can be seen as an essential leadership role to help co-ordinate both preventative planning and an effective response when ransomware does strike. It’s a sad reality that cyber criminals are increasingly using ‘malware free’ techniques to infiltrate and gain a foothold in organisation networks.
- For IT specialist teams, it’s also important to use different credentials for accessing backup storage and maybe even a mixture of file systems to isolate different parts of your infrastructure to slow the spread of ransomware. In the event of a ransomware attack, criminals will go after your backups as well and if a recovery file is corrupted with ransomware, it could be inaccessible as well. One way to stop this is to use an array like HPE StoreOnce that isolates your backup from traditional lines of communication and command sets leveraged by ransomware attackers. Avoid using obvious credentials, like Domain/Admin to gain access to your backup volumes. If you outsource to an MSP or CSP, audit their ransomware defence protocols. And run fire drills for the worst case scenario so that if ambulances are incoming, and systems are down, you and your team can respond to the IT emergency just as surely as you would to the medical one.
Healthcare organisations that follow the “1-10-60” rule of cybersecurity will be better placed to neutralise the threat of a hostile adversary before it can leave its initial entry point. You may not have encountered it before, but 1-10-60 is a set of priciples defined by antivirus and cybersecurity specialist, Crowdstrike. The most cyber-prepared healthcare agencies should aim to detect an intrusion in under a minute, perform a full investigation in under 10 minutes, and eradicate the adversary from the environment in under an hour in order to effectively combat sophisticated cyber threats.
- And finally, a different rule you probably have heard of: that’s the 3-2-1-1 rule. Three copies of your data, on at least two different media, with one stored offsite (e.g. cloud or tape) and one stored offline (e.g. tape). Having your data behind a physical air gap creates perhaps the most formidable barrier against ransomware. HPE StoreEver LTO tape is ideal for this purpose because it is completely offline when not in use which can save vital time in locating the “clean” data you need to restore your network. Tape can’t help you recover instantly, but it can greatly speed up your recovery in the hours and days that follow, especially if your primary backups have been disrupted. Tape is also supremely efficient for storing huge amounts of infrequently accessed (but essential) medical records for a very long time. And better still, tapes can be encrypted so that even if they did fall into the wrong hands, it would be impossible for thieves to access or use the data.
Ultimately, when confronting the pervasive threat of a ransom attack, the best advice is to deploy a mix of technologies and build a ‘circular fort’ of defences; if one should fail, then you can still fall back to the next line. A broad defence, covering multiple vectors, should be the goal of any strategy for tackling a cyberattack in the health care industry.
* Vanderbilt University, 2019, https://www.hipaajournal.com/research-suggests-healthcare-data-breaches-cause-2100-deaths-a-year/
** Emisoft, 2019, https://blog.emsisoft.com/en/34822/the-state-of-ransomware-in-the-us-report-and-statistics-2019/
*** Black Book Research, 2019, https://www.prnewswire.com/news-releases/healthcare-data-breaches-costs-industry-4-billion-by-years-end-2020-will-be-worse-reports-new-black-book-survey-300950388.html