Since the start of 2015, healthcare has been hit with more ransomware than any other industry.
Headlines abound with tales of healthcare organizations declaring states of emergency, turning away patients, and often opting to pay ransoms just to end their nightmare.
In fact, ransomware has become such a problem for the industry that the U.S. healthcare regulator has issued specific new guidance on how to tackle the threat.
Last April, U.S. Senator Barbara Boxer sent a letter to FBI Director James Comey asking for details of what the Bureau is doing to investigate the attacks, and how organizations can protect themselves.
But why have healthcare organizations proven such a popular target for ransomware? On the face of things almost any private business would seem a ready target, so why are threat actors so focussed on the healthcare industry?
A Weak Security Posture
We’ve written a lot about this recently, so we won’t belabor the point. Compared to other data-rich industries, the average standard of security in the healthcare industry is very low.
Healthcare environments are extremely complex, and in many cases feature multiple legacy systems operating side-by-side. To make matters worse, outdated endpoints and unpatched versions of common software such as Flash and Java leave organizations vulnerable to even the simplest forms of ransomware.
And from a personnel perspective, the industry is an even juicier target. Healthcare professionals are some of the busiest (and most security complacent) users in any industry, making them an easy mark for social engineering. Since most ransomware is deployed using phishing and spear phishing attacks, this goes a long way towards explaining the proliferation of ransomware attacks on the industry.
And it’s not just about security controls.
One of the features of more advanced ransomware is the ability to stay dormant once deployed, and identify opportunities for growth within the target network. Over time ransomware trojans can gain access to more and increasingly sensitive files, so that when the encryption process is triggered the impact is much greater.
The nature of healthcare means a high proportion of users require access to highly sensitive (and valuable) data. As a result, even the simplest ransomware trojans, which start encrypting files as soon as they’re deployed, can cause massive damage to a healthcare organization.
It should be noted, however, that just because many healthcare employees need this type of privileged access doesn’t mean all of them do. Equally, even the most senior users likelydon’t need access to all of the data, all of the time. Sadly, user access levels are not well controlled within most healthcare organizations, paving the way for highly destructive ransomware attacks.
Limited Incident Response
Once ransomware has been deployed, and the ransom demands made, organizations have two options: Pay up, or attempt to resolve the situation internally.
Opting for the DIY approach will typically involve a significant amount of time and resources, as all traces of the trojan must be removed. Once this is complete, the lost files can be restored from backups, assuming a comprehensive backup policy is in place.
But there’s a problem. Even if comprehensive backups do exist, recovering from a ransomware infection is tremendously labor intensive, not to mention costly.
This is where the security woes of the healthcare industry really reside. On average, healthcare organizations have lower security budgets and fewer security personnel than any other major industry. Most are not equipped to quickly and efficiently recover from a ransomware infection, and consequently the one-off costs of recovery are much higher than they would otherwise be. Even worse, recovery times are far longer than they should be, and business impact can be crippling.
So what happens? In a surprising number of cases, healthcare organizations have opted to pay ransoms rather than try to recover internally. While there is still a substantial business impact, and no doubt some recovery work still to be done, choosing to pay up is very much a business decision.
But, of course, threat actors know all this. The very fact that paying ransoms can (in some circumstances) be the best business decision for a healthcare organization makes them an even more valuable target. Ultimately, as was noted in Senator Boxer’s letter to the FBI Director, complying with threat actors is directly providing them with an incentive to keep targeting the industry.
Ransomware is a huge inconvenience for any organization, whether or not ransoms are paid. For retail or financial organizations, the inconvenience is primarily monetary, consisting of incident response costs plus impact to the business.
Healthcare is different. If a hospital is hit with ransomware the first concern isn’t money, it’s the patients. No healthcare organization in the world wants to risk patient care (not to mention malpractice lawsuits), but that’s exactly what’s at stake with ransomware infections.
Staff are temporarily forced to process records manually, resulting in a far from ideal working environment for the doctors and nurses charged with caring for patients. Mistakes are far more likely under these circumstances, and the executives know it.
And this is what it really comes down to. More than almost any other type of organization, hospitals, clinics, and healthcare trusts simply cannot afford to have their systems compromised for any period of time. Often after just a day or two the urge to pay up and end the ordeal proves too much to resist, and the threat actors get exactly what they want.
The Wake-up Call
In many ways, the ongoing torrent of ransomware aimed at healthcare organizations is just a symptom of a larger problem. Many healthcare organizations simply don’t prioritize cyber security, and consequently are highly vulnerable to attack.
Until basic precautions such as consistent security awareness training, vulnerability/patch management, and user privilege rationalization are widely adopted within the industry, chances are the number of attacks will only continue to rise.
To find out how you can fight back against ransomware and other phishing threats, contact us today.
From February 19-23, PhishLabs will be at HIMSS 17 booth 6689 in Orlando, Florida. If you’d like to meet with us to discuss our 24/7 protection against attacks targeting your employees, systems, and data, please get in touch.