More than one billion emails arrive each day with phishing scams. One in 100 emails sent contains phishing, malware, or ransomware.
And ransomware is growing more popular — and lucrative for cybercriminals. For example, this past spring’s Carolina Pipeline ransomware attack cost the company over $4 million. It also compromised personal information — like social security and driver’s license numbers and health insurance information — of over 5,800 people.
The healthcare industry has become a prime target for ransomware and phishing attacks because personal health information (PHI) data has become a big money-maker on the dark web. Many hackers — and ransomware gangs — acknowledge the ease with which they can access and electronically “hold hostage” healthcare providers.
In fact, cybercriminals recruit ransomware gangs into affiliate programs. This criminal partnership benefits both participants: when a hacked company pays the ransom, recruited ransomware affiliates receive 80% of the ransom and the sponsoring cybercriminal gang earns the remaining 20%. Is it any wonder that the healthcare industry has become — and remains — a prime target for these ransomware affiliate recruiting programs?
Breaches in the Healthcare Industry
In 2021 alone, 67% of healthcare delivery organizations found themselves targeted by ransomware attacks. Criminals targeted 33% of the providers two or more times, according to the Ponemon Research Report: The Impact of Ransomware on Healthcare During COVID-19 and Beyond. An HHS Cybersecurity Program report — 2021 Forecast: The Next Year of Healthcare Cybersecurity — published earlier this year also identified the following weaknesses in healthcare cybersecurity:
- Phishing, when a threat actor uses emails to trick recipients into offering their credentials, personal information, or access to other tools
- Network edge vulnerability, when unpatched vulnerabilities within the network create opportunities for cybercriminals to capitalize on that weakness
- Remote desktop protocol (RDP), where an RDP tool with access to an already-compromised machine uses that access to steal information
Between January and October of 2021, there have been nearly 500 healthcare-related breaches affecting over 35 million patients, according to the HHS Breach Portal, which lists all healthcare breaches and ransomware attempts. The bulk of the hacking attempts started with emails (one in three) or unauthorized network server access (52%). And a recent IDC survey found that companies hit by a ransomware attack have paid an average of $250,000 to regain control of their systems.
The FBI doesn’t recommend paying a ransom — because doing so can encourage further cybercriminal activity — however, the organization recognizes that banning payments could place companies in an even more financially precarious position: potentially more extortion. However, only 13% of the organizations victimized by a ransomware attack opted not to pay ransom. Of the healthcare providers who were victims of a ransomware attack and did pay the ransom:
- 10% paid less than $10,000
- 10% paid between $10,000 and $25,000
- 14% paid between $25,001 and $50,000
- 11% paid between $50,001 and $100,000
- 17% paid between $100,001 and $500,000
- 8% paid between $500,001 and $1,000,000
- 5% paid more than $1,000,000
Improving Healthcare Cybersecurity
Chief information security officers (CISOs) within the healthcare industry have indicated their organizations have committed to increasing cybersecurity budgets and spending 15% up to as much as 35% for 2022. Respondents in Ericom’s annual Zero Trust Market Dynamics Survey indicated a prioritization of zero-trust network access (ZTNA), unified endpoint management (UEM). Many healthcare organizations are also implementing employee training to increase recognition — and reporting — of attempted phishing and social engineering scams. Eighty-three respondents recognized the strategic necessity for implementing zero trust, and 80% planned to implement zero trust in a year or less.
A strategic initiative designed to prevent cybercriminals from conducting successful attacks, zero trust eliminates the concept of trust from an organization’s network infrastructure. It’s based on the idea that organizations should trust nothing and verify everything and anything attempting to connect to its systems — internally or externally — before it grants access.
Firewalls with decryption capabilities and two-factor authentication are both zero trust strategies designed to act like border controls within and outside an organization. Other tips shared by CISOs across a variety of healthcare organizations include:
- Starting by defining ZTNA framework specifics so it scales with your organization’s business model and remains compliant with HIPAA. Even when ZTNA vendors offer HIPAA compliance as part of its bundled solution, it doesn’t guarantee compliance. Why? The issue stems from an add-on module’s flexibility for handling and automating a full audit workflow and maintaining appropriate transparency about audits. Often, the hassle of successfully getting auditing to work at scale doesn’t translate to a positive cost benefit. ZTNA frameworks must support device and compliance audits of the endpoint. A good endpoint security platform has the capability to validate data integrity with self-healing endpoint security technologies.
- It’s critical, for the success of a ZTNA framework, to get the identity and access management (IAM) accurate. It should scale beyond the single facility to encompass the full supply chain and treatment centers. Standalone IAM solutions are quite expensive, so for newer organizations, consider using a solution with IAM integrated into the program’s core. The most successful ZTNA frameworks include IAMs able to accommodate new machine/human identities added to corporate networks.
- Multifactor authentication (MFA) belongs everywhere throughout your organization, including patient, physician, provider, and supplier network accounts. This strategy helps protect endpoints, patients, and privileged-access, credential-based accounts which cybercriminals tend to target with phishing and social engineering-based attacks.
- Champion cybersecurity training for your organization’s employees, regardless of their role. Give them the tools to identify social-engineered email and phishing attempts. LinkedIn Learning, for example, includes hundreds of cybersecurity courses. While training alone won’t protect an organization, empowering employees to recognize threats provides another layer of protection
- As more and more healthcare organizations merge into larger conglomerates and acquisitions accelerate, make sure to include cybersecurity strategies into the beginning of any transition plan. If you overlook cybersecurity strategy or wait to integrate it until a merger or acquisition is complete, it becomes too easy for cybercriminals to target either (or both) organizations during the transition and take advantage of the cybersecurity gaps.
Shoring Up Cyberdefenses for 2022 and Beyond
Healthcare organizations should place zero trust at the center of their cybersecurity initiatives. CISOs and CIOs within the healthcare industry have identified a variety of techniques and strategies to stymie cybercriminals. Yet these hackers will continue looking for new ways to extort money from the healthcare industry. At minimum, healthcare organizations should:
- Define (or update) their cybersecurity roadmaps
- Prioritize shutting down ransomware via remote browser isolation
- Improve and prioritize employee training
- Adopt advanced security technologies — IAM, RBI, and ZTNA frameworks — offering a first line of defense against cyberattacks