During the first half of 2020, at least 41 hospitals and other healthcare providers were successfully attacked by malware, according to a report released by the New Zealand-based software firm Emsisoft. These types of attacks usually are aimed at holding data hostage through encryption unless ransoms are paid or perhaps extorting money by threatening to make the data available on the internet.
The Emsisoft report found there was a significant decline in malware attacks after the pandemic hit, which was a surprise, according to Brett Callow, a threat analyst for the organization. But the trend appears to be reversing, with a slight uptick in May and June. Data are now stolen in about 10% of malware attacks, Callow said.
Threats to Release Data
“Groups use the threat of releasing the data or auctioning the data as additional leverage to extort payment,” he said. “And the most you can hope to receive is a pinky promise that the stolen data will be deleted, but why would criminals delete something that they can make money with?”
Many people believe ransomware attacks are instantaneous, with files getting encrypted when someone clicks on a link. But hackers typically have access for days or even months before they deploy the ransomware, Callow said. During that time, they amass credentials needed to move through the network and steal data. When they have enough, they start encrypting files.
“Organizations should be assuming their perimeters will be breached, so they should have tools in place to monitor networks for early signs of compromise,” Callow said. “Aside from that, it’s really a matter of strictly abiding by well-established best practices.”
Improperly secured servers account for about half of breaches, according to Callow. This means providers need to stay abreast of software patches and use multi-factor authentication when possible. Weak passwords are “horrifyingly common,” he said. There should be complexity requirements and/or frequent password changes required in any organization, Callow said.
Another option is to have a security operations center and/or specialized software that monitors inflow and outflow of traffic in a network, said Rich Curtiss, director of healthcare risk assurance services at Coalfire, a cybersecurity firm with headquarters in Westminster, Colorado. This would detect, for instance, if a Romanian IP address was remotely accessing a system at 2 a.m., when most medical practices or facilities in the United States would be closed.
Ransomware is the worst kind of computer threat that healthcare organizations face, “and it requires additional security to mitigate the intrusion and the exfiltration of data from the networks,” Curtiss said. “HIPAA already requires these things, it’s just that healthcare isn’t very good about making information security and cyber risk management a priority.”
“The better you get, the better they get,” Curtiss said. “It’s a cat and mouse game, and too often the 2 sides aren’t playing the same game.”
Instead of treating cybersecurity as a cost center, organizations should consider it a business enabler and critical to their clinical operations, he said.
Importance of Training
Curtiss illustrated a recent event with a phishing attack. He bought a few items on Amazon.com. Almost immediately after his purchase, he received an email that said his Amazon account was locked and he needed to click on a link to rectify the problem. It took him a second look at the email to realize it was not legitimate. “I almost clicked on the email, and I’m a security professional,” he said.
And that is where the other 50% of ransomware originates – malicious emails or links. Hackers use social engineering to make emails look as realistic as possible to the extent that they can sometimes trick professionals. Human error will always exist, but rigorous staff training on information security fundamentals can help to reduce the likelihood of clicking on malicious links.
“You wouldn’t put a nuclear reactor in the hands of someone without sufficient training to make sure they won’t cause a major event,” Curtiss said. “But they give people computers and access to a group’s information and have 5 minutes of training in a PowerPoint chart.”
Anatomy of an Email
Training, he said, often consists of “don’t click on this,” but people should be taught the “anatomy of an email” so they know what to look for to verify authenticity, he said. In addition, people should have a place to send suspicious emails for examination. If one person in a practice has received a suspicious email, others in the practice probably have, too, Curtiss said.
Curtiss also emphasized the importance of having a thorough risk assessment performed to identify potential threats and vulnerabilities and to stratify risks so that organizations can direct resources toward areas with the greatest exposure to hacking. The Health and Human Services’ Office for Civil Rights requires this in the HIPAA Security Rule, “but it’s so thinly worded that people take it as a compliance activity and go through a checklist of security controls instead of looking at their potential risks,” Curtiss said.
Risk assessment and training should be ongoing and dynamic practices, he added. Risks may change over time, and so should controls and systems that are in place to mitigate them. Retraining should take place as staff members and potential threats change. “But often we walk in and see very little cybersecurity and no risk management in organizations,” Curtiss said.