We all know that the most recent and pernicious forms of phishing attacks are ransomware attacks. They are increasing in scope and incidence, as well as impact and cost.
But a more disturbing trend is that healthcare entities are being targeted for such ransomware attacks. The most recent is the massive ransomware attack against the UK’s NHS, whereby attackers demanded cyber payments in return for releasing heathcare information from its ravages.
It has also been reported that many of the attacks used against these healthcare providers originated with tools purloined from the NSA, showing that tools have no morality themselves.
The reason healthcare data is most vulnerable to ransomware attacks can best be seen in terms of ransomware defenses. The most basic defenses to ransomware include advanced endpoint and other malware detection/prevention, education and training (keeping people from clicking on dumb things), virtualization to limit impact and spread of the malware which causes ransomware, incident response and readiness programs (also to limit impact), and of course, frequent data backup with “hot” and “warm” sites for data recovery. Also included is the availability of “clean” hardware on which to restore the clean(ed) data.
First, much of this doesn’t work well in a distributed multi-user, multi device, environment like healthcare. But second, and more importantly, is that data restoration and incident response take time. And time is the one thing healtcare providers don’t have. Even if it takes a day or two (ha!) to restore online data, this may not be adequate to meet the immediate needs of healthcare providers.
Moreover, if a data kidnapper demands $750,000 to restore a system (no muss, no fuss, just click this link) and will do so reliably and efficiently, this may be preferable to spending a similar amount of money trying to restore the data. Time, speed and efficiency matters.
So the reason healthcare providers are vulnerable to ransomware is because they pay. And they pay because they have to. As long as there’s a market not just for data but for access to data, they will pay.
And that’s what we are seeing in the UK. Hospitals and clinics are shutting down for lack of access to data and equipment. That costs money. So when we conduct a risk assessment, we have to include the time value of access (and immediate access) to data. How long can we survive without access to the data, how long will it take to restore the data, and what’s it worth to us to get the data faster?
In a future posting, I will discuss how to minimize your risk of successful ransomware, and whether or not to pay the ransom. For now, what’s important is to understand WHY you are vulnerable – oh and whether a ransomware attack is a “data breach?”
The answer to that one is a definite “maybe,” or an even more definite, “maybe not.” Or, in legal terms “it depends.”