When we need it most, healthcare is still hit hard by ransomware

The Fortune 500 for-profit managed healthcare and insurance firm Magellan Health was hit by a ransomware attack this week.  

The American outfit reportedly suffered a breach of its corporate servers on April 11 – well after the pandemic took hold – and led to the theft of personal information from customers which include health plans and other managed care organizations, labor unions, employers, military and governmental agencies, as well as third-party administrators.  

The attack came after leading cybercrime gangs promised “No More Healthcare Cyber Attacks” during the COVID-19 pandemic. 

Speaking to Fox Business, a spokesperson for Magellan noted that despite the healthcare firm taking “safety, security and reliability” of its operations, “unfortunately, these sort of attacks are increasingly common.” 

And that is indeed a depressing truth. Cybercriminals deploying ransomware attacks targets organizations indiscriminately based on their vulnerability, data payload, or likelihood to pay. Whether these are publicly-funded or private organizations seems to matter little. 

Within the last year alone, for example, we’ve seen countless attacks on US cities, which have put momentary locks on vital public resources, including emergency services. 

But in the private sector, attacks like that of Norwegian aluminum firm Hydro show just how shattering this malware can be – bringing a multinational industrial giant to its knees overnight and leaving thousands of staff scrambling to keep operations and their livelihoods intact. 

For many years, the healthcare sector has attracted cybercriminals – it’s even earned the unwelcome title of the most-targeted industry. 

A third of all data breaches happen in hospitals, and the number of breached personal records in the healthcare industry nearly tripled from 2018 to 2019, jumping from ​15 million to 40 million​. The Asia Pacific region, of course, has had its own share of ransomware attacks targeting hospitals and schools. As we said, attackers don’t discriminate. 

Why healthcare takes the ransomware brunt

But why is healthcare a prime target? In essence, it is the perfect hostage.

It’s generally overburdened, staff are overrun, it relies on legacy IT systems, carries highly-sensitive data, it has money (while this must be thinly and painstakingly spread across crucial functions), and it has vast networks of partners and third-party inter-dependencies. There is also life or death leverage – a hospital can’t wait around before making a decision. 

Right now the COVID-19 pandemic has placed further strain on the sector. The primarily remote global workforce poses severe security challenges, and protected health information is more critical – and more sought-after by threat actors looking to capitalize on current concerns to score a profit against the organization and unsuspecting patients.  

But the black-hat hacker community has a shameful history of pock-marking the healthcare sector with malware. 

Perhaps the most infamous volley came with the 2017 WannaCry ransomware attack, which targeted Microsoft Windows operating systems by encrypting data and demanding Bitcoin ransoms. 

Europol called the scale of the campaign unprecedented. It ripped through 200,000 computers across 150 countries – Russia, Ukraine, India and Taiwan were some of those worst affected.

But one of the largest agencies stuck by the attack was the UK’s National Health Service (NHS). Here, up to 70,000 devices including computers, MRI scanners, blood-storage refrigerators and theatre equipment were thought to have been affected. 

The fallout of this disruption meant that some non-critical emergencies had to be delayed and ambulances diverted. 

More recently, multiple hospitals across the States have been infected by outdated JBoss server software. In these cases, attackers uploaded malware straight to the out-of-date server without even need for interaction from a victim. 

Hollywood Presbyterian Hospital in California was one of the hospitals affected, in a case which delayed patient care and ultimately resulted in the hospital paying US$17,000 to regain access to files and their network. 

That may be small-change in the scale of things, but all funds which could be spent on a worker’s wages, or on life-saving surgery or medicine. 

But not paying can be devastating: after a small physician-owned practice in Michigan declined to pay a US$6,500 ransom demand, attackers wiped its computer systems clean, destroying all patient records, appointment schedules and financial information. The task was too much and the practice had to close its doors. 

These are just a few cases of a much wider problem. Comparitech reports that 172 individual ransomware attacks (affecting at least 500 people) targeted 1,446 clinics, hospitals, and other healthcare organizations since 2016 at a cost of US$157 million. The total ransoms demanded were nearly US$16.5 million with individual ransom amounts varying from US$1,600 to US$14 million per attack. 

Advanced IT requires advanced cyberdefence

As healthcare IT advances, leveraging big data analytics and artificial intelligence, as well as making ground in providing more streamlined and personalized digital support to patients, these organizations continue to amass sensitive data making them more vulnerable to ransomware attack – and making the damage of a breach that much more significant.

According to data from the Ponemon Institute and IBM Security, the average mitigation cost of a healthcare data breach is now US$15 million in the US. We’re not talking small-change here. 

Healthcare organizations around the world are fiercely implementing cutting-edge technologies that save more lives and cure more ailments than ever before. But despite tremendous innovations in medical knowledge and devices, the healthcare sector continues to fall behind in its cybersecurity protocols. 

As data privacy regulations issued by global governments grow in both scope and importance, healthcare organizations are responsible for more sensitive data than ever before, and they must protect it from evermore sophisticated foe – one that is familiar with the sector, its security policies and its vulnerabilities. 

A recent report by Intsights sheds light on the scale of threats healthcare organizations are now faced with, as well as examples which show how members of this sector simply aren’t equipped with the security controls to fend them off: 

Bruised, battered but ever-determined and courageous, the healthcare sector won’t ever shy away from cyberthreats in its constant mission to advance the efficiency and effectiveness of the care it offers to people. 

But in the face of compassionless adversity, which certainly won’t dwindle, it has little choice but to make itself more resilient. Like any organization, any business or industry, where IT is now a driving force for advancement, cybersecurity must be woven into the fabric of any digital transformation initiative – without fail. 

Commenting on the Magellan Health attack, OneLogin’s Senior Director of Trust and Security, Niamh Muldoon, told us that businesses and organizations musts have a crisis management program that involves subject matter experts across the organisation, “to ensure that the enterprise can make timely and informed risk-based decisions to help them through the ransomware crisis.”

The advice given by Intsights, meanwhile, is aimed at the healthcare sector during the current COVID-19 crisis, but it is largely universal, particularly as we approach a further period of uncertainty pertaining to how businesses and the workforce could operate once this pandemic recedes: 

# 1 | Assess risk and potential liability​

Newly remote workers may be required to transfer sensitive data to local drives on their private computers, and that introduces several possible implications to multiple data security regulations as well as jurisdictional privacy laws, most notably the ​GDPR​ and the ​CCPA​. 

Measuring the business against any data security standard or framework to get a temperature reading on data security and existing controls can help to ensure that the organization is poised to combat increased threats and address resource requirements.

# 2 | Use threat intelligence to identify organizational risk

Threat intelligence solutions can help security teams automate and reduce manual data collection to prove security control efficacy with required industry compliance standards. Explore core cyber threat intelligence use cases that lead to quick security control and compliance wins.

# 3 | Align your data privacy policy with global privacy laws 

Take the first step in securing sensitive and critical data by ensuring your program will meet the rigor of current cybersecurity and global data privacy laws. Assess your core audit requirements to achieve regulatory and security confluence.

# 4 | Protect compensating security control

Policies can be constructed to target, tag, and monitor core assets that are critical to the security policy (i.e., Windows systems that are no longer supported). 

This will help identify when legacy systems are at risk. The presence of intelligence showing the use of specific negative-zero-day exploits will help to prioritize weak spots in the business security posture.

# 5 | Locate exploited data and credentials. ​

Global rules can be set up to target specific critical data leakage or exploitable data. This will help ensure proactive remediation of threats from data request spoofing attacks and find any references to sensitive data that has been compromised.