Hackers are increasingly targeting small hospitals and health centers with ransomware attacks, likely because these organizations are more likely to pay the ransom to recover data, according to a new report.
Ransomware attacks against healthcare facilities increased by 35% between 2016 and 2019, according to a report from cybersecurity company RiskIQ.
Cybercriminals tend to target direct patient care facilities such as hospitals or healthcare centers (51%), medical practices (24%) and health and wellness centers (17%).
"We assess cyber-attackers prefer these facilities because they are more likely to pay to prevent disruption to patient care," RiskIQ said.
RiskIQ found that 70% of the ransomware attacks targeted small healthcare facilities with fewer than 500 employees. This trend is particularly concerning since 80% of small practices do not have an in-house security official, according to a survey by the American Medical Association (AMA).
Almost half of physicians have an in-house security official, but only 20% of small practices do, and they typically trust health IT vendors to provide cybersecurity support, AMA found.
Based on RiskIQ's analysis, most facilities impacted by a ransomware attack did not disclose paying a ransom, but 16% did pay the ransom to obtain recovery keys from the hackers.
"Unfortunately, paying the ransom does not guarantee the recovery keys will be provided or, if they are, that they will work," RiskIQ wrote. As was the case with Kansas Heart Hospital, which paid hackers $47,000 in ransom but was not able to regain access to its network when hackers demanded a second ransom, CSO reported.
The average ransom demand is $59,000, according to RiskIQ's analysis. But that is often just the beginning of the costs associated with an attack.
Brookside ENT and Hearing Center was forced to close down after attackers wiped all the office files, including appointment schedules and payment and patient information, when the owners refused to pay the $6,500 ransom, according to the report.
Likewise, following an attack, some health facilities have been hit with class-action lawsuits citing a failure to monitor their attack surface, including their network and systems that store sensitive data
Cybercriminals are capitalizing on coronavirus concerns, which have led to a spike in malicious online activity that will increasingly impact healthcare facilities and COVID-19 responders. The sophisticated methods used by hackers combined with the coronavirus pandemic have created a "perfect storm" of new targets and methods for hackers, RiskIQ said.
As more organizations move employees to work from home, remote staff make it harder for IT teams to police computer systems and prevent cyberattacks. Attackers now have far more access points to probe or exploit, with little to no security oversight.
Microsoft recently warned hospitals that sophisticated ransomware attacks are trying to exploit remote workers to gain access to their networks. Ransomware operators are trying to find vulnerabilities in network devices like gateway and virtual private network (VPN) appliances, the tech giant said.
The AMA and the American Hospital Association teamed up to launch new guidance for physician groups and hospitals to fight malicious cyberactivity amid the COVID-19 pandemic.
Tips to protect practices
Healthcare organizations need to take the critical step of backing up data on their systems to protect against the disruption of a ransomware attack, RiskIQ said.
RiskIQ also stressed the importance of patch management and phishing training for healthcare employees.
RiskIQ offered several recommendations to help small hospitals and provider organizations mitigate cyberthreats:
- Add data storage: After backing up data, the next step is to store data offline or on a different network to defeat those cybercriminals who do target backup systems.
- Have encryption: Healthcare data should be encrypted so that even if cybercriminals acquired it, they would not be able to read it.
- Have a plan: Develop an incident response plan to help mitigate the impact of certain destructive malware attacks.
- Track data: Security personnel should track the company’s digital assets that are connected to the organization outside the firewall, because attackers search for unknown, unprotected and unmonitored digital assets. This is particularly important now as healthcare facilities’ digital attack surface expands and becomes more complex with some staff working from home.
- Set up firewalls: To harden networks and connected equipment, healthcare facilities with devices running open services should place them behind a firewall. They should also whitelist via the firewall any external IPs which require access. Placing these devices within a VPN adds another layer of protection.
- Follow the trends: Be aware of current ransomware threats and be alert to attack trends. For example, most ransomware attacks take place during the night or over the weekend, according to a recent FireEye report.