We know that ransomware is a menace for just about everyone, but the health care industry has been hit unusually hard by this particular type of attack. In fact, according to Solutionary’s Security Engineering Research Team (SERT) Quarterly Threat Report for Q2 2016, the health care industry represented 88 percent of all ransomware detections during the second quarter.
Think about that number for a moment. Ransomware seems to be everywhere, yet, 88 percent of detections were in one industry. Education and finance were second and third, at 6 and 4 percent, respectively.
Now, it must be noted that we may not be getting the full picture, as Solutionary threat intelligence communication manager Jon-Louis Heimerl told SC Magazine, after pointing out that the analysis was based on actual ransomware activities:
Other industries could very well have had more ransomware attempts which were isolated and stopped by additional controls, but in the case of the healthcare industry, we saw more successful infections.
Still, that’s a lot of attacks on the health care industry, which is already a prime target for cybercriminals. As Ponemon Institute’s Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data revealed, almost 90 percent of all health care organizations have suffered a data breach, and in 2016, ransomware attacks are leading the way, resulting in 41 percent of the breaches.
Ransomware against the health care industry is so severe that the Department of Health and Human Services is providing guidance on how to deal with the malware and potential attacks, that, according to eSecurity Planet, include:
- implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and implementing security measures to mitigate or remediate those identified risks;
- implementing procedures to guard against and detect malicious software;
- training users on malicious software protection so they can assist in detecting malicious software and know how to report such detections; and
- implementing access controls to limit access to ePHI to only those persons or software programs requiring access
It’s a step in the right direction, but it won’t be a cure-all. As Stephen Gates, chief research intelligence analyst at NSFOCUS, a leading enterprise network security provider, stated in an email comment:
Any new guidance that can help healthcare organizations prevent, detect, contain, and respond to threats (especially ransomware) is obviously good guidance. However, will guidance solve the bigger problem of the unsuspecting click? Ransomware is not an exploit that takes advantage of a vulnerable application or operating system. Ransomware is a payload that takes advantage of vulnerable people and their clicks. Even the best guidelines can’t solve that problem.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.