Cybercrime takes many forms. One type currently in the spotlight involves holding an organization’s computers and data hostage until it pays a ransom. Usually done in private — companies generally prefer not to reveal they’ve been attacked — recent high-profile cases are showing that hospitals and other health care organizations are vulnerable to ransomware.
This type of malicious software has been around for years though the targets and the tactics have changed. Early on, ransomware was directed at individuals. You’d open an attachment on your home computer, and before you knew it, you were locked out of your files. You would then have to decide whether to pay the relatively small ransom to regain access to your photos and files, hire someone to break the encryption (which wasn’t very sophisticated back then), or ignore the demand and buy a new computer. Later on, cybercriminals tended to target municipal organizations like sheriff’s offices and schools. The ransom amounts were usually small and files could sometimes be recovered via backups or breaking the encryption.
Gangs from Eastern Europe and elsewhere have realized that there’s real money to be made going after larger businesses, including hospitals and other health care organizations. Although they’ve been making such attacks for some time, several have recently received high-profile media coverage. This year, ransomware attacks have been reported at hospitals in California, Kentucky, Indiana, and the Washington D.C. region, as well as in Australia and Canada. Many members of the National Health Information Sharing and Analysis Center have reported seeing campaigns attempting to deliver ransomware, sometimes almost daily.
Although it looks like hospitals are being targeted, this is probably an illusion. These opportunistic attacks are spread across many sectors — if the door is open, these criminals will come in no matter what kind of business or organization it is.
There are several modes of entry. The simplest and most common begins with an employee opening an innocent-looking email and its malicious attachment or link. This releases the embedded ransomware onto his or her computer. From there, it can spread to the entire network. Some versions can gain entry via vulnerable software applications and infected websites.
What ransomware can do once it slips into a system is also becoming more sophisticated. Some types encrypt not just the data but backup data as well. That makes it difficult to ignore the ransom demand because it’s impossible to restore the system from an encrypted backup.
Devices connected to the network, like infusion pumps or MRI scanners, are also vulnerable to these attacks. That poses problems. If ransomware locks a million-dollar MRI machine, a hospital isn’t going to walk away from it and get a new one.
Efficiency can lead to vulnerability
Thanks to the national push for electronic health records and technology that connects devices to the networks and the internet, many health care organizations have rushed to expand their information technology without also focusing on threats from without. That may contribute to their vulnerability to ransomware attacks.
Protecting any organization from ransomware is relatively straightforward. It relies mainly on basic cybersecurity procedures like patching and installing the latest versions of critical software, running the most up-to-date antivirus software, isolating vulnerable devices from the network, and filtering emails or whitelisting them (allowing email only from approved domains and IP addresses). It’s also essential to educate every employee on best practices, like not clicking on links or attachments in suspicious emails. Basic cyber hygiene eliminates a good portion of the ransomware threat.
Being open about ransomware attacks, rather than hiding them, can also help neutralize the threat. By robustly sharing information, our members are learning about the various ransomware emails in circulation, the types of malware attachments, the IP addresses they are coming from, and more. They are then using this information to block attempts on their networks.
The time is now
Healthcare organizations need to take ransomware and other threats seriously. The time to install good cybersecurity policies, infrastructure, and procedures is now — before hackers actively target the health care sector.
Cybercriminals share information with each other. We should be doing the same thing. It’s a way to gain awareness of the situation and protect against threats. Removing barriers to sharing and uniting as a community will help combat this menace.
Denise Anderson is president of the National Health Information Sharing and Analysis Center, a public/private information-sharing community aimed at keeping the global health care infrastructure protected