Ransomware in Healthcare: What You Need to Know

According to IBM’s recently released Cost of a Data Breach Report 2021, costs associated with healthcare data breaches increased 29.5% in 2021 to over $9 million. Such attacks not only put sensitive patient and payment data in harm’s way but can also damage a healthcare organization’s operations and reputation. With ransomware strikes continuing to rise, organizations must prioritize security by understanding how these threats work. They must then be prepared to protect against and recover from an attack should one occur.

How Does Ransomware Work?

Ransomware attacks an organization’s system by infecting computers with a virus. This is often accomplished by tricking a user into clicking a link or downloading a file in a phishing email. These emails are disguised as communications from trustworthy sources, like a well-known brand or a utilized service provider. When the malicious link or attachment is clicked, the ransomware encrypts a computer’s hard drive and locks all its files. A screen then appears, threatening to destroy all files unless the ransom is paid.

A recent study revealed that in 2020, more than a third of healthcare organizations experienced a ransomware attack. Sixty-five percent of those same organizations reported that the criminals successfully encrypted their data.

Ransomware in Healthcare

Anyone can be at risk of a ransomware attack. It is important that the healthcare industry understands why it is particularly vulnerable.

Patient Data is Valuable to Hackers

Healthcare organizations are often targeted by hackers due to their access and storage of financial data and protected health information (PHI). Under the Health Insurance Portability and Accountability Act (HIPAA), PHI must be protected. Information such as name, contact information, social security number, medical record numbers and other unique identifiers are considered PHI.

A credit card account can be of value to a hacker but compromised cards are often quickly realized and closed by the owner. PHI, however, has a far longer life span. For example, medical records can contain multiple pieces of personally identifiable information. Additionally, breaches that expose this type of data typically take longer to uncover and are harder for an organization to determine in magnitude.

Digital Technologies Can Increase Threats to Data Security

Virtual care usage surged throughout COVID-19. Telehealth visits increased by fifty percent during the first quarter of 2020, compared to the same period in 2019. Despite the benefit of allowing patients and providers to engage within the challenges of COVID-19, the digital shift continues to present vulnerabilities for hackers to exploit.

At the start of COVID-19, HIPAA restrictions around virtual care were relaxed to accommodate care access and delivery during such unexpected times. The use of unregulated communication tools like Zoom and FaceTime were permitted from unsecured networks as many healthcare operations were forced into remote work environments.

In addition to virtual care, with the use of personal devices like fitness trackers and even smartphones, more healthcare data is collected, stored and transmitted digitally than ever. New technology, however, means new potential points of entry for cybercriminals. Producers of that technology must constantly work to address security concerns.

Paying the High Price of Ransomware

The average ransomware payout rose 82% to over $500,000 in the first half of 2021. Healthcare organizations are complex and often work with multiple systems. It often takes time to identify the source of an attack and shut it down. Cybercriminals know that healthcare organizations are under high pressure to get their systems back up and running after an attack because patient lives are at stake.

Preventing Cyberattacks at Your Organization

Protecting your systems from cyberthreats like ransomware should be a top priority. Consider these tips to help protect your organization against the threat of cyberattack.

• Be sure to select the most secure vendors and up-to-date software for your organization. For optimal healthcare payment security, protect your payments with the latest in payment security technology, including PCI-validated point-to-point (P2PE), tokenization and EMV. Additionally, ensure that your vendors are compliant with healthcare and payment regulations, including HIPAA, HITRUST, and AIPCA.
• Seek secure vendors that don’t disrupt the ability to engage with patients. Look for options that fit existing workflows. Ensure that your staff understands how to use them and regularly confirm that these solutions and security measures are actively being used by your staff.
• Help curb cyberattacks at every potential entry point with robust security software, including anti-virus, anti-malware, email filtering and firewalls throughout your organization.
• Make sure that your organization is quick to apply patches and system updates as soon as they’re  available. Do not skip updates and make applying system updates part of your standard activities.
• When stored and maintained on-site, data might not be fully encrypted. Consider cloud storage for at least some of your data to allow access to some services online in the event of a hack.

Make cybersecurity a priority for your entire staff with regular awareness training. Empower your entire organization with tips and best practices to protect personnel and your patients. Educate your teams about current threats to data security.