Ransomware attacks are rapidly increasing in frequency and intensity as technology advances. Malicious actors tend to target industries with large amounts of high-value data, making healthcare organizations a prime target.
Data security and patient privacy are crucial in healthcare. Not only can a ransomware attack negatively affect an organization’s bottom line, but it can also negatively impact patient care with incorrect information, slow data exchange and privacy invasion. Protecting against ransomware is a non-negotiable requirement for healthcare organizations.
Healthcare Industry Ransomware Epidemic
In 2021, the Health Sector Cybersecurity Coordination Center (HC3) tracked 48 ransomware incidents in the U.S. It found that 72% of respondents experienced a data leak because of the attacks.
Furthermore, patient data from healthcare facilities and organizations is the most lucrative data for attackers. A 2019 global security report found that the average healthcare data record was selling for up to $250 on the dark web. When you compare this to the $5.40 charged for payment card information — the next high-value record — it’s clear why the healthcare industry faces an epidemic of ransomware and data breaches.
Damages Beyond Privacy Invasion
Having patient data exchanged in the digital underground economy is a major privacy invasion and could seriously damage a healthcare organization’s reputation. More importantly, it’s held liable under state or federal regulations for breaking laws such as The Health Insurance Portability and Accountability Act (HIPAA).
Ransomware doesn’t only open data to issues like identity theft, its core feature is keeping files hostage through encryption for ransom. The financial implications for stakeholders can be overwhelming.
Additionally, when healthcare providers are unable to quickly and securely access patient data — anything from medical history and records to test results and scans — it can severely delay the administration of appropriate treatments and procedures. It’s very possible that patients die.
Understanding Attack Avenues
The first step toward protecting your healthcare organization against ransomware is understanding its weak points.
Poor Data Management
Patient data is the primary target of the actors behind ransomware attacks. Databases need to be categorized based on sensitivity, allowing you to prioritize cybersecurity resources and efforts.
Data management includes access privileges. Data access should be minimized by default to mitigate the chances of access through an unnecessary inside stakeholder. The more keys to a door there are, the more likely someone is to steal one and get inside.
Human Error
Human error is the leading weakness of ransomware and malware attacks across all industries. Different from malicious insider attacks, human error can happen at any employee level, compromising a system.
Malicious actors can take advantage of human error through social engineering. They either phish for information that could enable them to access the patient database or trick an employee into leaving a back door open through malware delivered via digital or physical means. In some cases, it could be as simple as a stray USB drive left strategically on a front desk.
Poor Cybersecurity
Even if the infrastructure of a healthcare organization is optimized for privacy and security, using inappropriate or outdated cybersecurity tools could still cause issues. Through brute-force attacks, malicious individuals and organizations can gain access to an organization’s internal network, infecting it with ransomware.
How to Protect Against Ransomware
Effective protection against ransomware attacks requires both preventative and mitigative, responsive measures.
Human Training
A study called “Psychology of Human Error,” led by Stanford University professor Jeff Hancock, found that approximately 88% of data breaches are due to human error. Following logic, training employees on digital hygiene and cybersecurity fundamentals is enough to protect against nearly 9 out of 10 attacks.
Employee training ranges from periodic seminars to consistent, regular workshops that cover the basics of internet security, data privacy and the latest phishing schemes. Training should be designed depending on their position in the organization.
Access Privileges and Segmentation
Limiting access privileges and segmenting databases can greatly reduce the damage of an attack. Instead of accessing the full database, the breach would be contained in the individual segment. Employees should be extremely limited — if not outright prohibited — from connecting personal devices to the organization’s network.
Additionally, every employee should only have access to systems they frequently use at their work. Anything too sensitive, or that isn’t used as often, should be limited to permission-only access.
Performing Regular Backups
By regularly backing up data on a secure server, your IT department can wipe compromised databases and restore the data without having to pay a ransom or decrypt files.
Zero-Trust Security
Zero-trust security, as the name suggests, acts under the assumption that no device, inside or outside your organization’s network, is trustworthy. With zero-trust, all employees require additional authorization through identity authentication before accessing any systems or services through digital or physical means.
In this scenario, ransomware is treated as a user with invalid credentials, allowing the zero-trust infrastructure to deny it access to patient data, even if it’s already inside the system.
Finding Qualified Professionals
Securing the systems of a healthcare organization is a bit different from securing systems in other industries when you consider the scale of operations and regulations. It’s critical to have someone who’s knowledgeable about both the healthcare industry and cybersecurity. For those seeking an opportunity in healthcare’s cybersecurity, a health informatics program may be beneficial.
USF Health’s MS in Health Informatics is 100% online and designed for physicians, nurses, physical therapists, pharmacists, mental health workers and other healthcare workers.
