The number of successful ransomware attacks in Healthcare is increasing at an alarming rate. According to a study in Comparitech, the cost of downtime to healthcare organizations caused by Ransomware in 2020 was around $20.8 billion. Unlike many businesses that can temporarily halt operations to resolve an outage, hospitals never shut their doors, nor can they delay caring for patients already admitted while they address an attack, making them uniquely vulnerable.
Healthcare organizations are particularly sensitive to outages caused by ransomware. In the case of a systems outage caused by ransomware or by other means, hospitals shift to “divert status,” requiring them to “divert” incoming emergency cases and postpone or cancel scheduled procedures. Obviously, this has a detrimental impact on the hospital in terms of lost revenue, but also has a significant negative impact on patients in need of care or attention.
The motive behind ransomware attacks is typically financial gain. Threat actors who attack healthcare institutions take into account the level of dependence on clinical and financial systems, the nature of the equipment they are targeting and, in far too many cases, the exploitability of their target. Ransomware attacks are successful in healthcare due to failures in all of the following areas: people, process, and technology.
Technology can be exploited in several ways: the lack of a technology solution or mitigating control can create an open door for attackers; improperly configured security products are also vectors that can be compromised; and finally, selecting and implementing tools that aren’t the right fit for an organization’s unique needs may leave security gaps.
Failures in process are interesting to discuss in Healthcare as the industry thrives on process, continual learning and improvement. Information Technology (or Information Systems) Departments and, IT Security Teams in particular, have seemingly insurmountable challenges when it comes to ensuring the organization’s systems are secure. Most organizations have written policies and procedures to comply with the Health Insurance Portability and Accountability Act (HIPAA) for Security and the Health Information for Economic and Clinical Health (HITECH) Act. While these regulations outline many good security practices and expectations, they fall short in providing actionable guidance on technology selection and sound operational practices. When systems are put in place and not accompanied by a complete understanding of the most beneficial method to operate and sustain the technology, it moves from a benefit to a detriment, potentially inadvertently enabling a compromise of information instead of preventing it.
The final vector we will talk about in this article is people. Most ransomware attacks are enabled unknowingly by a person, or multiple persons. While good technology and processes can mitigate and intercept most attacks, they are not yet able to protect against all compromises. Emails, web browsing, file sharing and other user-initiated activities enable attackers to compromise and eventually control systems. Asking a physician, nurse or other administrator to be as educated in security as they are in their chosen profession is an unreasonable expectation since the patients and organization depend on them to devote most of their attention to their clinical or administrative tasks. Mistakes here can have dire consequences and healthcare organizations assign teams of people to reduce the potential for clinical mistakes.
Similarly, the goals of security professionals are singularly focused: protect the systems that the organization relies on to care for patients while minimizing disruption to the people who must use them. Successfully achieving this requires a significant understanding of how patient care is conducted and appreciation of the need for secure, efficient systems with proper controls in place. It is also important to understand the clinical equipment as well as the environments in which they operate, to ensure a secure system design. And, finally, it is critical to select the right technology for the task.
ePlus provides world-class security posture assessments, products and technologies, consulting, integration and ongoing operational services. Reach out to your Account Executive, or visit us at: https://eplus.com/solutions/security
Check out the next part of our series, Ransomware in Healthcare – Part Two: Strategic and Tactical Security Approaches, which covers methods used to Prevent, Identify, and Protect systems from being compromised. This includes benefits of proper segmentation techniques, means to educate and gain acceptance (and compliance) from general staff, educating security operations staff, and selecting security tools with an eye to operations and protection for the IT environment. And don’t miss part 3 of our Ransomware in Healthcare series, “Recovering from a Successful Attack”.
