Since 2005 ransomware has been extorting cyber victims with astounding results. As with any criminal scheme, technological improvements and insurmountable ambition seems to have exposed a virtually untapped market that has an incredibly low risk of getting caught - the healthcare industry.
All it takes is one innocent click to open a malware-infected ad, facebook/twitter links, or any other malware that grants hackers the full-on access they need to take entire hospital’s data servers hostage. Everything from EHR data to family photos are locked and rendered useless, forcing a shutdown nobody want to be responsible for.
What makes the healthcare industry such an attractive target to cyber hackers is the lack of security systems in place for many hospitals and healthcare providers storing patient data, making it extremely vulnerable to cyber attacks.
"It's a very bad trend that has been rising in the past few years," says Adam Kujowa, an expert for the software company Malwarebytes. "It's the one we see people asking for help about the most," he says. "And unfortunately, this isn't the kind of attack that you can get infected and you're done. There's no quick fix."
Many hackers seek simple ransom payoffs in untraceable bitcoin currency ranging from a few hundred to thousands of dollars. However, hackers see healthcare systems as particularly vulnerable, a wiling-to-pay target whose primary concern is HIPAA compliance and ensuring that employees meet the federal requirements for protecting patient privacy.
Unfortunately the focus on internal policies seems to leave procedural gaps in cyber security and emergency data breach action plans. This slight oversight leads to the absence of hospital planning and safeguards, often times leaving a cyber-breached facility with no other course of action but to pay the ransom. After all, in healthcare settings timely access to desperately needed patient health records can mean the difference between life and death.
“If you have patients, you are going to panic way quicker than if you are selling sheet metal,” says Stu Sjouwerman. Hospitals are a good target for another reason as well: they “have not trained their employees on security awareness … and hospitals don’t focus on cybersecurity in general,” he says.
Stu Sjouwerman is the CEO of the security firm KnowBe4, which has authored a 20-page “hostage manual” (.pdf) instructing victims on what to do post-attack and how to prevent one through training employees how to better manage the urgent IT security problems. The company also shared results from a year-long training course measuring some 300,000 users who underwent cyber security training: an average drop in clicks from 15.9 percent to just 1.2 percent for companies that had training.
Following the unsuccessful end-of March attack on Washington health-care behemoth Medstar, Sjouwerman was quoted saying:
“With good training you can actually truly get a dramatic decrease in click-happy employees,” he says. “You send them frequent simulated phishing attacks, and it starts to become a game. You make it part of your culture and if you, once a month, send a simulated attack, that will get people on their toes.”