Ransomware Going Nowhere – Healthcare Beware!

My friends who are lucky enough to still be employed throughout the pandemic appear to be split into two camps. Half seem to be spending much of the day staring out of the window, largely unproductive, the bosses’ gaze concentrating on other areas like the distracted Eye of Sauron. The other half are working three times as hard to make up for the colleagues who are furloughed or are unlucky enough to have been cut.

One set of people (neither friends nor acquaintances, I hasten to add) who are on the more productive end of the spectrum, are the ransomware operators.

In the first quarter of 2020, ransomware attacks increased by 25%, according to specialist insurer Beazley. In that period attacks on manufacturing rose by a whopping 156%.

Honda were forced to completely shut down all production in early June after being infected by EKANS ransomware. Threat intelligence firm Dragos have analyzed this variant in depth. It targets industrial control systems, which may suggest that Honda was specifically targeted. But EKANS is a blunt tool, as Dragos point out, and let’s not forget most worldwide car production halted because of the pandemic. The timing could have been much worse for Honda, while perhaps being much better for the attackers…

What is much more worrying however is just how often hospitals and healthcare providers are falling victim to ransomware attacks. Just shy of a quarter of all attacks in Jan-March were against the healthcare sector; as much as the financial sector.

This happened despite a pledge by ransomware groups that they wouldn’t deliberately target hospitals during the pandemic and would provide decryption keys if they were ‘accidentally’ infected. Hmmmm

Healthcare is a prime target for hackers of all kinds. Modern hospitals which suddenly have no access to data will have a hard time managing admissions and discharges. They keep financial data, credit card details and social security numbers. And what is more sensitive and important data that patients’ health records? There is potential for a huge return on the hackers’ investment from a hospital where downtime is a life-or-death issue.

Rangely District Hospital in Rio Blanco County, Colorado, issued a ’Notice of Privacy Incident’ two weeks ago following a ransomware attack that occurred in April. Names, dates of birth, social security numbers, diagnoses and conditions were amongst the types of data encrypted in the attack. Apparently the data was not stolen by the attacker, but this is becoming increasingly common in so-called “double extortion” events, as described by Check Point research.

With an excellent and well-tested backup strategy, hospital administrators will still be tempted to pay a ransom to recover encrypted data. Even then, and even if one of those well-meaning ransomware groups offered the decryption software, there’s no guarantee of timely recovery. As reported in Health IT Security, research suggests that paying the ransom can double the recovery cost. 

Ransomware prevention, response and recovery need a strategic plan all to themselves. Consider just the insurance aspect:

o   Do you have cyber attack insurance suitable for your industry and the data you hold?

o   Does the cyber attack policy insure against ransomware? Often that requires separate cover.

o   Are there exclusions that limit liability if you are in breach of compliance, such as HIPAA? An auditor investigating a ransomware incident might find the compliance failure that invalidates your policy.

o   Does your policy cover actions by malicious state actors? Even defining a so-called cyberwar is problematic.

TBG Security’s Cyber Risk Assessment will tell you whether your existing security policies and posture offer adequate protection. And with CISO on-demand,  you can bring in the expertise you need, for the time you need it, to create and realize the IT security strategy to effectively deal with ransomware and other cyber threats.

Previous ArticleTBG Data Breaches Part 2: It’s not (necessarily) your fault Next ArticleCCPA is now in effect. What you need to do about it