Key insights
Cybersecurity is a major concern in health care, particularly ransomware, which locks down systems and data until the ransom is paid, rendering electronic records useless.
Health care will likely continue to be one of the top industries targeted by ransomware attacks because of how sensitive the data is and the opportunity for large financial gain.
Mitigation strategies include security awareness training, using multi-factor authentication, and formalized patch management.
Technology has changed so much in business, particularly in health care where professionals rely heavily on it to carry out day-to-day tasks. Sensitive personal information and patient test results are stored in expansive digital systems, making them an attractive target for hackers.
Cyberattacks have spiked in the health care industry in recent years, exposing all types of confidential information. And, like the common cold, all it takes is one system to get breached for ransomware to spread across your organization’s entire network.
What is ransomware?
Ransomware is a type of cyberattack used by criminals to encrypt an organization’s files. Unlike a data breach that exposes information, ransomware locks down systems and data until the ransom is paid, rendering electronic records useless and delaying patient care.
Ransom payment requests can range anywhere from a few thousand to tens of millions of dollars. Once the attacker receives payment, the victim may receive a decryption code to access their files again. However, not all attackers restore the files after payment — and once ransomware has been installed on a system, all the devices connected to the network can remain infected.
How problematic is ransomware in health care?
Health care will likely continue to be one of the top industries targeted by ransomware attacks because of how sensitive the data is and the opportunity for large financial gain. In many cases, hackers gain access to an organization’s network through scam or phishing emails, exploiting vulnerabilities in software systems without multi-factor authentication.
Over the last five years, there has been a 256% increase in large breaches involving hacking, and a 264% increase in ransomware, according to the U.S. Department of Health and Human Services (HHS). The attackers are after electronic Personal Health Information (ePHI), such as demographic information, medical histories, laboratory results, physical and electronic health records, mental health conditions, insurance information, and other relevant data.
If breached, this data is likely to be stolen and sold on the dark web for the attacker’s financial gain, as the average cost of a ransomware attack — not including the cost of the ransom itself — is $4.54 million, according to HHS.
“Health care is the most targeted industry for cyberattacks, according to HHS. The influx of ransomware has impacted patient care, providers’ reputations, and the industry as a whole. Complying with HIPAA regulations helps protect patients, providers, and the organization. But cybersecurity doesn’t end with HIPAA requirements, and organizations should be diligent in defending their networks and information through technical and controls testing.”
— Jennifer Friel, CLA controls consultant director
Strategies to reduce ransomware attacks in health care
Ransomware attacks can’t be completely prevented by a single tactic, but there are several precautions that may mitigate risks.
Leveraging multi-factor authentication (MFA)
MFA requires users to have two or more authentication methods before gaining system access. Common factors include:
- Something you know (a password or identification number)
- Something you have (a cell phone or smartcard)
- Something you are (a fingerprint or facial recognition)
The most common MFA type is a password along with a one-time code sent to the user’s phone or email.
Formalized patch management procedures
Keep systems up to date to help prevent hackers from exploiting known vulnerabilities and bugs in outdated systems. Regularly checking for updates and patches and installing them as soon as they are available may help your organization reduce cybersecurity risk.
Security awareness training
The most common ransomware attacks involve tricking users into clicking a malicious link, downloading a malicious attachment, or sharing protected data over the phone. This is better known as phishing. Once the file or link is clicked, it can install a malicious file in the background without a person even knowing.
Your organization should have clearly articulated cybersecurity policies, so employees, contractors, and third-party vendors know which data, applications, systems, and devices they can access — and the consequences of unauthorized access attempts.
The future of cybersecurity and health care
Data breach consequences can be severe for health care organizations. In addition to remediation costs and legal fees, a data breach can damage an organization’s reputation and erode patient trust. Patients may be hesitant to share personal information with an organization that experienced a breach, which can reduce business and revenue.
With health care organizations continuing to rely on technology to improve care delivery and operations, they will also continue to be a target for hackers seeking to steal patients’ protected health information.
Increased use of electronic health records, telemedicine, and other digital tools may also increase the risk of cyberattacks. But taking precautions such as training employees on current cyber threats, keeping systems up to date, and using multi-factor authentication may reduce the potential for cybersecurity breaches.
Connect
Isabella Tufaro
Controls Consultant Associate