The health care industry was the target in 88% of all ransomware attacks on US industries in 2016. The perpetrators of these malicious attacks have realized that the health care industry is particularly vulnerable to cyberattacks and has a major incentive to pay the ransom quickly. Patient safety, the organization’s reputation, and the risk of potential fines all motivate victims in a health care organization to pay the ransom and restore service. However, recognizing the risk and taking steps to protect your network are about much more than money.
Seeing the Big Picture
Health care information was the most breached in 2016, with stolen medical records being worth more than 10 times a stolen credit card. There is an average of one new health care breach per day, with thousands of patient files compromised with each breach.
Hackers have recognized that an even faster and more lucrative way of turning their crime into cash is by employing ransomware. In a ransomware attack, the criminal does not need to find a buyer for the stolen data; they demand a “ransom” directly from the health care organization. Due to the pressures on health care providers, that payment often comes very quickly. In fact, ransomware attacks now comprise 72% of all malware attacks in the health care industry.
It’s not a matter of if your organization will face an attack, but when, and how you’ll prepare beforehand or respond afterwards.
Prepare for Attack
The most effective step your organization can take is to provide training to all employees on the risks and responsibilities of protecting patient health information. You provide fire drills, training for emergency situations, and regular employee training in other areas, so make protecting your patients’ information a priority in training. Cyberthreats change rapidly, so make your employees aware of the dangers by providing the training they need to spot and avoid threats.
Reassess your backup system. Ransomware often seeks out and compromises backup systems before announcing itself. Regular rotations of backup systems that are then completely disconnected from the network are a minimum best practice.
Update your software with the latest patches and your antivirus solutions continually update to contend with the latest threats. Systems unique to the health care industry can be particularly vulnerable and require immediate patching whenever an update is available.
Recognize that all these steps require time and money to implement. In a health care organization, every line of the budget is crucial. The potential for fines if Health Insurance Portability and Accountability Act-compliant solutions are not in place should compel you to find the means to ensure your safety. Making the threat clear will help prioritize the time and effort for training and updates to take place.
Why Act Now
Patient safety is at stake in a ransomware attack. The reputation of your organization will suffer if you succumb to an attack. While no current system can completely guarantee that you are invulnerable to attack, the duty to safeguard your networks should be imperative in your organization. Act with urgency now to avoid an emergency later.