Industry Updates

Healthcare Ransomware Problem Is Getting Worse Recently

Ransomware attacks are one of the most prevalent cyber attacks on healthcare. It has been around for many years, however, it became a trend in 2016. Recently, there is a significant increase in the frequency and types of ransomware attacks being perpetrated.

Since 2019, even before Covid-19, healthcare providers became the primary target of ransomware attackers.

This is because healthcare providers are more likely to pay the ransom to prevent the attackers from stealing or leaking patients’ sensitive information such as the patients’ names, social security numbers, addresses, phone numbers, medical data, insurance details and so much more.

Covid-19 only made the vulnerability of the healthcare sector worse. Numerous healthcare providers had to lay off staff including IT and cyber security staff. There is more vulnerability and this is what these malicious criminals are leveraging. The consequences of ransomware attacks are dire for the healthcare industry. In addition to security issues that come with data breaches, it also leads to disruption of medical care. To prevent loss of life, healthcare providers, to a great percent tend to give in to the extortion requests of ransomware criminals.

For example, in June 2020, the University of California San Francisco (UCSF) School of Medicine paid its attackers $1.14 million. Ransomware attacks are so successful despite their tremendous danger and financial costs largely because of inadequate cyber security strategies on the part of healthcare providers. Cyber security strategies have to be developed and embraced to detect and prevent ransomware attacks. This cyber security strategy starts from understanding the life cycle of ransomware attacks.

In their 2019 study titled: A survey on situational awareness of ransomware attacks–detection and prevention parameters; Juan and his team presents the life cycle of ransomware attacks as follows:

Ransomware attacks start from ransomware design. This is where the ransomware developer creates a malware variant. After creating the malware variant the attacker distributes the malware to victims through spam email, phishing, and other infection vectors. Upon arrival, the malware activates. It discovers the host details and obtains a unique encryption key from a remote control server. Thereafter, the ransomware search process begins and it locates targeted file types.

After obtaining the targeted files, the encryption process begins. The original files will be deleted while the newly encrypted files will be renamed with a new file extension. At the end of the process, the ransom message typically displays the attacker’s instruction on how to pay the ransom amount.

The infection vectors are the most important aspect of a ransomware cyber security attack. If the infection vectors are locked, ransomware attacks will be dead. All possible infection vectors should be patched up including exploit kits, downloader, and Trojan botnets, social engineering tactics, and traffic distribution systems.

Researchers recommend that healthcare cyber security teams should patch up all the possible infection vectors by applying all the available patches. However, despite the availability of patches, surprisingly, some healthcare providers are yet to patch up their infection vectors.

In situations where patches have not yet been released, the OCR 2018 report suggests that IT departments should implement compensating controls to reduce the risk of identified security vulnerabilities to an acceptable level. The compensating controls include restricting network access and disabling network services or software components to protect vulnerabilities that could be exploited via network access (OCR, 2018).