Ransomware Increasingly Targets Medical Providers

Ransomware continues to make headlines in the data security world, and with good reason.  A report issued earlier this year by the Director of National Intelligence highlighted the continued surge in ransomware attacks in the U.S.  While commercial companies remain the biggest target, reported ransomware attacks expanded across all sectors of the economy, with attacks on U.S. healthcare providers nearly doubling.

Ransomware is a type of malicious software that hackers deploy to encrypt or exfiltrate (remove) a target’s data until the target pays a ransom.  If the target does not pay the hacker, the target risks the permanent loss of access to the data, the hacker may publish sensitive data online, or the hacker may sell private information to third parties.

Healthcare organizations, ranging from hospitals to small clinics, are prime targets for ransomware attacks due to the nature of the information they collect: not only do they have sensitive medical information, but they keep other personally identifiable information, such as addresses and birthdates, as well as payment information. The consequences of a successful ransomware attack on a healthcare facility can be catastrophic, potentially resulting in disrupted operations, compromised patient care, significant financial losses, and immense reputational harm.

Because ransomware is a business, any good ransomware hacker focuses on their return on investment. They chase the biggest payday from the smallest initial investment, meaning they prefer easy targets.  The good news is there are some relatively easy steps you can take to make your healthcare company a more hardened target.

  1. Employee Training and Awareness: This is the lowest bar for your company to clear.  Educate your staff about the existence and dangers of ransomware, and how best to avoid letting the malicious code inside your walls.  Require good password hygiene, have appropriate policies about the use of external devices, and conduct regular training to combat phishing scams.
  2. Implement Proper IT Security Measures: Work with your IT department and external vendors to deploy a multi-layered security system. This will include, at a minimum, antivirus software, firewalls, intrusion detection systems, and proper encryption protocols (if you have sensitive data, you want to ensure it cannot be read by anyone who steals it).  All of these systems must be subject to continued testing and regular updates to keep up with the hackers.
  3. Data Backup and Recovery: Backing up your data regularly and securely will minimize any business disruption and the loss of patient medical records in the event of a ransomware attack. Regularly test your backup systems to ensure the data will be accessible in the event of an attack.
  4. Limit Access and Storage: Make sure that the only employees who have access to sensitive data are those who require it for the performance of their jobs. Require multi-factor authentication and always revoke an employee’s access to your data as soon as their employment ends.  Also, consider disposing of any data that you are not required by law to maintain: less data on hand means less data that can become a ransomware target.
  5. Incident Response Planning: Develop a comprehensive incident response plan. This will establish clear protocols for detecting, containing, and eradicating malware such as ransomware.  It will also guide how your company communicates with stakeholders, law enforcement, regulatory bodies, and the media following a known or suspected ransomware attack.  Conduct regular tabletop exercises to test the incident response plan, expose any snags, and ensure that each employee with a role to play is ready to play it.

Taking these steps will not ensure that your healthcare company never becomes the victim of a ransomware or other hack- nothing can do that.  But it will make your company less likely to be attacked and more resilient if an attack occurs.

If you have questions about how your company can protect itself from ransomware attacks, or if you think your company may be the victim of a hack, contact Chris Jones or a member of Sands Anderson’s Cybersecurity & Technology team.