The impact of ransomware on healthcare organizations – an interview with Mark Nunnikhoven of Trend Micro
Healthcare data is extremely sensitive, which also makes it extremely valuable to malicious actors. As we’ve discussed in previous posts, the high value of healthcare data, and the push to digitize health records has created a perfect storm – an environment where malicious actors are increasingly targeting health systems, hospitals, health insurers and other entities within the healthcare industry.
Unfortunately, what separates and differentiates the best healthcare providers often leaves them more vulnerable. The best care providers think almost exclusively of their patients. They put all of their focus and technology budgets towards new healthcare technologies, techniques and equipment, and focus less of their time and budgets on IT. And networks are often left less protected than they should be as a result.
Now, a new threat is rising up and impacting an increasing number of healthcare companies – ransomware. Ransomware effectively takes networks ransom, making it difficult or impossible for care providers to get the information they need to run their business and deliver services to their patients. These attacks are becoming very frequent. In fact, ransomware attacks targeted two large healthcare providers – Kansas Heart Hospital and DeKalb Health – just in the past month.
To learn more about ransomware, why malicious actors are attacking healthcare organizations and what these organizations can do to protect themselves, we say down with Mark Nunnikhoven, the Vice President of Cloud Research at Trend Micro. During our discussion, we asked Mark about why malicious actors are moving towards ransomware, what they look to gain from attacks, and what healthcare organizations should do to prepare.
Here is what he had to say:
Mark Nunnikhoven (MN): Ransomware is type of malware that criminals use to lock users out of their own files. Once the user is locked out, a ransom note is displayed providing instructions on how to pay the criminal in order to – potentially – regain access to your data.
The mechanics of this type of malware are very similar to other attacks. It’s the goal that has changed. Usually, malware tries to hijack a computer so it can be used to commit other crimes (spamming, botnets, etc.), or malware tries to find confidential data like login credentials or credit card numbers. In both of these cases, criminals can sell the access or data in the underground market.
With ransomware, the target is each individual user.
TAG: What has led to the emergence of ransomware attacks? Why are these types of attacks increasing in frequency?
MN: We’re seeing more and more of these attacks because the criminal underground has shifted over the past couple of years. Criminals no longer need specific technical skills to launch cybercrimes, they simply need connections. All of the tools required to launch a ransomware attack can be purchased or rented in the underground markets.
With that increased access, it’s simply became a numbers game. Criminals with sufficient connections to get these tools are now realizing significant profits through these attacks. As long as they’re making money – and they are making money hand over fist – we’ll see these types of attacks continue.
TAG: We’ve witnessed multiple ransomware attacks on hospitals, health systems and other healthcare entities – including attacks on Kansas Heart Hospital and others. Why are malicious actors targeting healthcare organizations for ransomware attacks What are they looking to accomplish from these attacks? Why are these organizations good targets?
MN: The criminals behind these campaigns are actively seeking out new targets with deeper pockets. Healthcare is a logical target for them due to the critical and unique nature of the data.
When they attack an individual and block access to their photos, videos and personal documents, the individual can walk away from that data. When it comes to patient data, that’s typically not the case. Because of the critical nature of the data, healthcare organizations that fall victim to these attacks are more likely to pay the ransom, even if it means paying a much higher amount.
TAG: I’d assume the attractiveness of healthcare data leaves healthcare organizations open to other types of attacks. What other types of attacks are malicious actors perpetuating against healthcare organizations?
MN: In addition to the standard types of attacks that all enterprises see, healthcare organizations are a prime target for data theft. Ransomware is the latest wave in these types of attacks.
Healthcare records also hold a high value in the underground market because they are extremely useful for identity theft. Healthcare records often have enough information about an individual that a criminal can commit financial fraud and any number of other crimes associated with identity theft.
Because of the high value of the data in their trust, healthcare organizations are a prime target for criminals.
TAG: The HHS has said that they’re preparing to release ransomware guidance for healthcare organizations. What effect do you anticipate that having? What would you like to see – or anticipate seeing – in this guidance?
MN: I anticipate that the guidance will focus on two areas: prevention and recovery. As much as I’d like to be able to say that an organization can guarantee it’s security 100%, that just isn’t possible.
The guidance should focus on prevention with steps like:
- Use a strong email security gateway to block phishing attacks and SPAM
- Use modern, centrally managed anti-malware software on all endpoints (desktops, servers, laptops, etc.)
- Turn on automatic updates for all endpoints
Understanding that no defense is perfect, the guidance should recommend regular backups – including offline copies – and a rigorously incident response process that is regularly testing – including testing the restoration of those regular backups.
TAG: Many healthcare organizations are more focused on serving and curing patients than on IT, and many would say that their funds go towards new medicines and healthcare technologies before IT. With that in mind, how can healthcare companies protect themselves and their networks?
MN: Healthcare organizations and other businesses should be focused on their core missions. IT should never be a money sink. The good news is that a strong IT program can accelerate the business and security is a key part of that.
IT systems have gotten to a point where they are extremely complex. Security tools help ensure that they are working correctly and, more importantly, only doing the work they are intended to do.
The most successful IT programs that I encounter put a lot of effort into bringing the right teams together. Technology should support and amplify a team’s efforts. This is doubly true in the security world.
TAG: Are there specific things these organizations can do to guard against ransomware in particular?
MN: In addition to strong security technologies, organizations should be working with their employees to ensure they are well educated on the challenges posed by ransomware. Continuing education around phishing emails is especially crucial.
The other area to focus on is backups. Backups are an extremely good idea for a number of reasons, but when it comes to ransomware, a reliable backup takes away the criminals leverage. Why pay the criminal for access to your data when you can just restore from a backup.
For additional information on the security threats impacting healthcare organizations, and analysis of some recent breaches impacting healthcare companies, click on the following resources: