Poor security and potential risk to life have made healthcare providers particularly vulnerable to ransomware exploitation by cybercriminals, according to new research highlighting the devastation of ransomware attacks like those that recently paralysed several Victorian hospitals.
At least 621 US government bodies, healthcare service providers, schools and universities were hit with ransomware, the new Emsisoft research found, noting that 491 (79 percent) of these were targeted at healthcare providers.
Cybercriminals “understand that healthcare providers are often more inclined to pay the ransom as failure to do so may result in data loss that could potentially put lives at risk,” the report’s authors wrote.
The ransomware attack on two regional Victoria healthcare organisations – thought to have been caused by an infection by the Ryuk ransomware – led to delayed surgeries, administrative issues and challenges accessing patient data.
Ryuk code has bugs that cause it to damage around 1 out of every 8 files that it encrypts, leading to near-certain data loss even when ransoms are paid – although Emsisoft has free tools to decrypt the ransomware in 3 percent to 5 percent of cases.
Earlier this year, another high-profile breach, at a specialist group in Melbourne’s Cabrini Hospital, was similarly disruptive.
Such attacks are yet more reminders of the persistent vulnerability of a sector that has been breached more regularly in Australia than any other since the commencement of reporting under the Notifiable Data Breaches (NDB) scheme.
Healthcare CISOs have long been aware of the growing security challenges they face, with a recent Carbon Black analysis noting that 83 percent of people working in the sector had seen an increase in cyber attacks over the past year.
Industry figures continued to weigh in on the latest healthcare breaches. “It appears that many hospitals haven’t fully grasped that their IT systems are mission critical,” Webroot senior solutions architect Matt Aldridge noted. “They need to take far more robust precautions to guarantee availability of their systems.”
“Cybercriminals will continue to exploit security vulnerabilities in the healthcare industry, as there is a better chance of financial reward and return on their time investment. Whether the intent is to access patient data (which is valuable on the dark web) or collect a ransom, as long as these organisations remain easy targets, they’ll continue to be targeted.”
Businesses need to plan now to ensure they could recover in the event of such an attack – but many struggle to do so and instead end up paying ransoms that have increased steadily over time. Indeed, a recent Telstra survey found that half of Australian firms end up paying ransoms.
“Organisations must ensure that they have a solid backup and recovery plan that is tested and practice the principle of least privilege to ensure that any malware has limited success at spreading around the systems,” said Joseph Carson, chief security scientist for cyber security software firm Thycotic.
“Cyber security is a top priority and that cyber security best practices such as cyber awareness training, backup and recovery, principle of least privileged and strong privileged access management are in place to reduce the risks.”
Email fraud attacks against healthcare organisations increase by 473 percent during 2017 and 2018, Proofpoint Australia country manager Crispin Kerr said while noting that “the healthcare sector has become a lucrative target for malicious attacks due to the easy exploitation of healthcare workers’ natural curiosity, time constraints in acute care settings, and highly publicized ransoms being paid by healthcare organisations.
The firm “regularly observes attackers attempting to trick healthcare workers into opening an unsafe email attachment or clicking on a questionable link that leads to ransomware,” he continued.
“Healthcare employees should be extremely vigilant in confirming the source of all emails that are sent to their personal and corporate email inboxes. Emails that urgently request a password change, patient data, or a link be clicked should be approached with extreme caution.”