- Numerous industries have been working to combat, prevent, and mitigate malicious malware attacks. The healthcare sector has found itself particularly vulnerable to such attacks, and research has shown that the number of healthcare ransomware attacks often outweighs other industries.
Unfortunately, the latest IDC FutureScape predictions for healthcare IT does not show a change in this trend, and that healthcare ransomware will only continue to increase over the next two years. Specifically, ransomware attacks against healthcare organizations will double by 2018, according to IDC FutureScape: Worldwide Healthcare IT 2017 Predictions.
It’s important for the healthcare industry to be willing to work to find the right balance between innovation and security, Lynne Dunbrack, research president of IDC Health Insights, told HealthITSecurity.com.
Dunbrack was one of the authors of the FutureScape report, and explained that healthcare certainly needs to move forward as an industry in terms of making appropriate investments in security. However, organizations need to ensure that they are not impeding themselves when it comes to making necessary investments in needed innovations.
For example, organizations are often focusing on engaging consumers and providing innovative technology to make it easier for clinicians to do their jobs, particularly around making EHR improvements.
“It’s about walking that line between ensuring that that innovation is secure, but that we’re also being able to move forward with new technologies as well,” Dunbrack said.
Reasons for continued healthcare ransomware attacks
Overall, IDC predicts that the next three years will be focused on the adoption of disruptive technologies that will enable healthcare digital transformation. Furthermore, an increase in internet of things (IoT) technology results in the convergence of mobile, social, and sensors. This is also a specific driver for the increase in healthcare ransomware attacks.
Healthcare is also a particularly soft target when it comes to cyber attacks, Dunbrack noted. The industry hasn’t historically invested in technology as much as other industries, such as financial services and retail. Healthcare is catching up, but is still lagging behind other sectors that have been under similar types of attacks for years.
“Retail and financial services have battened down their hatches,” she explained. “Now the cyber criminals might still be nipping at those heels, but they are looking at other targets, healthcare being one of them.”
Dunbrack added that healthcare organizations also cannot afford to be offline for any length of time, which can feed into some entities being willing to pay the requested ransom. However, this could show attackers that the approach worked once, so it may work again.
“It worked once and they’re going to continue to do so until healthcare gets to the point where they’re not as attractive as some other industry,” Dunbrack stated. “The vulnerability of not having adequate and resilient security, at least for the next year or so, we think healthcare will see more ransomware attacks.”
Along with the potential financial impact of a healthcare ransomware attack, Dunbrack also pointed out the report’s takeaway that mission-critical clinical systems are not available when IT systems are taken offline for remediation. This can create patient safety issues and even lost revenue when patients are diverted to institutions outside the affected network.
“It is one thing for a payer claims system, for example, to be offline for a certain period of time,” Dunbrack said. “It’s frustrating, and it has implications for the organization, but it’s not a life and death situation, as you would have in a hospital environment.”
Cyber criminals understand this aspect, she added, which is how in some cases they’ve been able to extract and extort ransom for organizations to bring their systems back online.
Staying ‘hypervigilant’ to prevent potential ransomware attacks
Healthcare organizations need to remain hypervigilant, Dunbrack stressed, and ensure that employees at all levels understand that security is everyone’s responsibility.
“It requires a fair amount of education for the people within the hospital, the end users themselves: the nurses, the physicians, the clerical staff,” she said. “Everyone needs to be very careful about what they click on in incoming email, for example.”
Cyber criminals have become quite sophisticated at mimicking legitimate emails. Additionally, if an individual is reading an email on a mobile device, it may not be as easy to pick up on certain visual cues that could be detected on a larger screen, such as on a laptop.
“It’s very easy for end users to click on a link and download the malware that then goes out and compromises the system,” Dunbrack stated.
It’s also important to be hypervigilant about installing security patches and keeping security software up to date. Firewalls need to remain updated, and different IT assets should be segmented from one another. That way, if something does get in, it can be isolated and prevented from compromising the entire enterprise.
Backups of key systems should also be performed and tested regularly. This approach has benefited some institutions where they found they did not need to pay the ransomware as they could recover everything from a backup, she added.
Security should also be connected to and considered in other new technology investments, IDC explained in the report.
Dunbrack warned that an important aspect to this is how healthcare organizations approach their third-party relationships. When it comes to investing in security technologies, or any type of new technological investment in general, entities need to know the details of the other company.
For example, organizations should ask themselves questions such as, does the vendor understand HIPAA regulations? If they are not based in the US, are they willing to sign a BAA? What other healthcare clients does the company have? What is the company’s depth of knowledge in working with PHI?
IDC maintained that the healthcare ransomware situation will get worse before it improves. However, by taking critical steps toward prevention and mitigation, there is an opportunity for organizations to make significant enhancements in healthcare IT productivity and efficiency.