Criminals are increasingly using ransomware to target healthcare organizations. What do these attacks entail?  

Raj Mehta

As organizations improve the maturity of their cyber risk programs and capabilities, cybercriminals also continue to look for innovative ways to drive their revenue streams. One such rapidly increasing attack mechanism is ransomware. Ransomware is a category of malicious software ("malware") that encrypts a user's disk drives and demands some form of compensation in return for critical data held hostage.

Over the past year, healthcare organizations, particularly providers, have been attractive targets for cybercriminals.

These criminals have recently updated their arsenal with ransomware to conduct attacks on healthcare providers, resulting in severe impact on healthcare operations and potential risk to patient safety. This industry was not considered a primary target for ransomware attacks until recently, but events of late suggest that ransomware may increasingly be aimed at healthcare organizations using social engineering and other tactics. It has become critical for healthcare organizations to understand the potential impact of ransomware on healthcare operations and patient safety, and be prepared in the event that they experience such an attack directly.

A typical method of infection is an email containing a malicious attachment that will download the ransomware. Infection with ransomware may compromise sensitive files, rendering those files and associated systems inaccessible to health personnel, thereby disrupting normal operations by inhibiting access to, for example, patient records, appointment information, and test results. Financial loss is also very likely to affect the targeted companies, as a ransom payment is demanded by the threat actor, with the promise that once payment is received, a decryption key will be provided to restore compromised files.

Users may encounter this threat through a variety of means. Ransomware is often distributed as attachments to a series of spam campaigns. Ransomware can also be downloaded by unwitting users who visit malicious or compromised websites, or it can arrive as a payload, dropped or downloaded by other malware. The most recent versions of the virus are TeslaCrypt and Locky, which encrypt files on a computer's hard drive and any external/shared drives, then direct to a payment page that requests a ransom amount.

Ransomware attacks are financially motivated. Attackers target organizations to extract a ransom payment or target the theft of critical data such as electronic protected health information (ePHI) and personally identifiable information (PII). Because health care organizations cannot afford to be paralyzed for long periods, there may be a higher likelihood that ransom fees will eventually be paid. Other reasons healthcare providers, in particular, are attractive targets include a lack of training and awareness. Employees and staff are often not adequately trained on how to avoid being hacked and the organization may be using outdated software and technologies that are more susceptible to attack.

For healthcare providers, a ransomware attack can be particularly significant. Pursuing valuable ePHI, attackers are aware of exploitable vulnerabilities and are opting to hold hospitals hostage rather than use traditional data theft methods. Information at hospitals is time-critical; sudden lack of access to critical data in emergency rooms and operating rooms could result in substantial disruption and threat to patient lives and safety. Potential impacts can include disruption of operations, loss of, or inability to access key information, breakdown of communication, unauthorized disclosure of PHI/PII, intellectual property, or other confidential electronic health records (EHR), and reputational and brand impact.

The cost of investing in cybersecurity can pay huge dividends over the long-term. Healthcare organizations need to analyze and weigh the importance of these investments against the potential impact of ransomware and other types of cyber-attacks. Such attacks are likely to continue to evolve in complexity and frequency, and a mature cybersecurity program can help reduce the impact of these attacks. The most secure, vigilant, and resilient organizations have focused and well-configured technologies and well-defined and executed security processes to prevent and detect threats, as well as contingency plans to help reduce the impact of such attacks as much as possible.

Raj Mehta is a partner in Deloitte's Cyber Risk Services.

[Image courtesy of BOAZ YIFTACH/FREEDIGITALPHOTOS.NET]