Escalating ransomware threats in the healthcare sector

The threat of cybercrime, and particularly ransomware has been accelerating at an alarming rate in recent times. In Switzerland, a number of high profile cases have been reported, indicating a shift in the perpetrator’s focus from targeting individuals to not only small and medium sized companies but also large organizations. Trend shows the healthcare sector being impacted, with the attacks potentially jeopardizing critical patient data and business continuity.

Global concerns around ransomware

Ransomware attacks have grown from peripheral and unconventional cyber-attacks, to a wide-spread epidemic across multiple industries. The healthcare sector, and hospitals particularly seem to have been hit hard from these attacks. One of the major reasons for the skyrocketing rise of ransomware attacks in this space is the use of high-end systems to preserve data, which are often insecure and more vulnerable to attackers.

In a recent case, the internal systems of one of a US hospital were hijacked by ransomware. Media reports stated that the investigation process took several days from the moment the infection was first identified, to when the problem was resolved. During this period, all health related digital data and critical patient records were encrypted and could not be accessed. It was later reported that a ransom was paid in bitcoins to the cybercriminals, who held the hospital’s computer system hostage. Whilst the ransom amount may not have been very high, the resulting damage could have been catastrophic as patient health and safety would have been at stake.

Decrypting ransomware

Ransomware is a piece of malicious software used by hackers to encrypt user documents and system critical files, rendering them unreadable until a ‘ransom’ is paid. Typically, the ransom is usually requested to be paid in bitcoins, a virtual currency that is typically unregulated and relatively untraceable.

A typical ransomware attack covers the following:

  • The hackers infiltrate a computer by sending a malicious email that appears legitimate. This may be in the form of a bill or an invoice with an attached file, often a word document or a link to be clicked-on. This kind of an attack is also known as a phishing attack.
  • The unsuspecting recipient of the email would click on the attachment or link, which will then require user interaction to ‘enable content’ or download additional ‘software’ to enable viewing
  • When “enabling content”, the malware is then launched onto the computer and or network and will immediately start to identify, lock and encrypt user files, rendering the data on the computer and or network unusable.
  • The ransom is then demanded through a popup or text file. Once paid, the attackers provide a digital key to decrypt it. The reality is that there is no guarantee that the attackers will actually follow-through on their promise of decryption.

Close analysis shows that these cyber-attacks are currently targeted toward sectors such as healthcare and education, which historically have not had large security budgets or imparted cyber security training to hospital staff. Regulatory compliance and other aspects of patient privacy would typically take precedence. The evolution and proliferation of the malware highlights that this threat may soon spread across a much larger “victim” pool, engulfing even sectors such as oil & gas, power & utilities and the public sector.

Nowadays, hackers have created ransomware-as-a-service models, which would allow anyone to use the service and the malicious software.

Addressing risks to enhance patient safety

The unfortunate reality is that organizations in the healthcare sector cannot do much once a computer or network has been compromised by a ransomware attack. Adopting a proactive approach to protect patient data can mitigate risks to some extent. Some of the key steps organizations can endorse to all stakeholders include:

  • Performing regular off site back-ups of all files
  • Showing hidden file-extensions
  • Refraining from opening attachments that look suspicious
  • Updating or patching software regularly
  • Disconnecting internet connection and WiFi instantly in event of any suspicious attacks
  • Keeping firewall turned on and configured at all times
  • Disabling file sharing and other remote services
  • Using strong and complex passwords
  • Staying vigilant against these attacks by actively communicating organizational policies and training employees to detect and react appropriately
  • Staying abreast of the latest cybercriminal tricks and techniques that are regularly reported

Dealing with the aftermath of ransomware attacks can be challenging, where submitting the ransom may sometimes turn out to be the only option to recover locked data. The focus on deterrence through continuous monitoring, deployment of tools to defend and remediate attacks, bringing in specialists too in case of a breach will play a key role for the healthcare sector to augment patient safety.

Follow @EY_India and track #EYForensic


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s