Healthcare facilities in the US and Canada continue to find themselves under siege from bad actors targeting them with ransomware attacks, according to researchers with Kaspersky Lab.
Overall, 27% of healthcare IT workers in North America report that their organizations had been hit with a ransomware attack within the past year, and of those workers, 85% of Canadians and 78% of Americans said there had been up to five ransomware attacks in the past five years or more, according to a survey commissioned by the cybersecurity vendor.
In addition, 33% report that these cyber attacks had happened more than once.
The study, "The State of Cybersecurity in Healthcare," paints a picture of an industry that not only holds massive amounts of the type of personal information attackers want but also of one that is not learning from past mistakes.
"There are a number of reasons that the healthcare industry seems to be hit by cyber attacks often, and particularly ransomware," Rob Cataldo, vice president of enterprise sales at Kaspersky, told Security Now in an email. "First, the amount of sensitive personal data accessible in many healthcare organizations make them an attractive target for cybercriminals. However, an even bigger draw for cybercriminals is that these organizations are leaving themselves vulnerable, with many still using legacy technology systems, while also leaving systems unpatched and insecure."
At the same time, many healthcare companies still don't provide employees with adequate cybersecurity training, making it more vulnerable to attacks caused by human errors or mistakes, Cataldo said.
Ransomware represented the most fearsome malware in 2017, thanks to such campaigns as WannaCry, Petya/NotPetya and SamSam, and the healthcare industry was an early and often target. According to a report by cybersecurity insurance company Beazly, in 2017, healthcare organizations were the victims of 45% of ransomware attacks. (For comparison, number two on the list was financial services and professional services, both at 12%.)
The threat isn't going away.
Over the course of the past year, cryptocurrency mining malware took over as the most popular used by threat actors, though there was a steady drumbeat of ransomware attacks. However, the non-profit Information Security Forum (ISF) late last month said that increasingly sophisticated ransomware attacks are among the top cybersecurity concerns in 2019. (See Ransomware, New Privacy Laws Are Top Security Concerns for 2019.)
That's bad news for the healthcare field, which has gotten a reputation as a good target for ransomware authors.
"Many industries do see repeated cyber attacks, but as we have seen with recent breaches in the news, this is particularly an issue for healthcare organizations," Cataldo said. "In many cases, following the first attack, cybercriminals will create variations of cyber-threats and resend them to the healthcare organization, either to get around any barriers that prevented their initial attack from being successful or to take advantage of reconnaissance details gathered during the initial infiltration. Additionally, as more healthcare breaches make news headlines, the more aware cybercriminals become that these kinds of organizations are an 'easy target,' so they will specifically look for healthcare groups to target, leading to repeated attacks on the same facilities."
Cybersecurity training and education are key tools for protecting organizations against attacks, he said. At healthcare companies, more work needs to be done to protect against employees clicking on email attachments or URLs that may contain malicious codes.
"While healthcare organizations are beginning to provide more comprehensive cybersecurity education to prevent these kinds of attacks, our research found that 17% of healthcare employees admitted to having responded to a third-party request for patient information with the requested e-PHI [electronic protected health information]," Cataldo wrote. "This means that there is a still a gap in cybersecurity education and training, and more must be done to ensure that the actions of a few employees are not putting the entire organization or its patents at risk."
That said, another key trend in the report was that employees lack confidence in how their healthcare organizations are approaching security, he said. Of those surveyed, only 26% of Americans and 18% of Canadians are confident in the strategies, and workers want to see their employers respond to cyber threats by taking such actions as increasing protection on medical device or ensuring that employees are secure when working remotely.
About 21% of employees said they don't think their organizations will sustain a data breach in 2019.
"Overall, it seems that employees understand that healthcare organizations are a key target for cyber threats, but there is a lack of communication and understanding that their employer is taking cybersecurity seriously," Cataldo said.
Among the steps healthcare organizations can take to protect against ransomware attacks are regularly updating operating systems on all networked devices with the latest patches, creating regular backups of critical information and storing those backups in different locations. Also, organizations should constantly remind employees about modern cyber threats and attack methods.
"Training and informing employees of IT security protocols and constantly communicating these through reminders can have a positive impact on preventing social engineering methods from spreading ransomware," he said.
— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.