An unhealthy situation – The cost of ransomware in UK healthcare

Ransomware is one of the fastest growing threats to the healthcare sector. In the last 12 months, many hospitals have had critical data locked out of their systems. Just this week, DeKalb Health, a hospital based in Indiana, experienced a ransomware attack first hand.

Worryingly, once it happens there seems little hospitals can do. Shortly after the attack on the Hollywood Presbyterian Medical centre earlier this year, the FBI admitted that, the best way to deal with these attacks was to simply pay the ransom and regain control of their data as quickly as possible – and some experts are worrying that this could well start a trend.

Combined with the rate of healthcare attacks, this constituted a major change in post-ransom tactics from the organisation.

The threat to the UK

While most attacks have happened in the US, a recent survey by Sophos into the NHS uncovered that only 10 per cent of the organisation had a “well established” approach to encryption – an obviously problematic statistic.

It is worth remembering that ransomware originated in Europe, before its extended attack against the US healthcare industry. In this time, it has evolved and become far more efficient; new trends such as ransomware-for-hire and even chat clients to communicate with the attackers are now being seen on a far more regular basis.

Why healthcare?

The reason the healthcare sector is seeing such high levels of data-related attacks such as ransomware is the value of the data that is being targeted. Rather than the pure monetary value which drives many data breaches in other sectors, healthcare data holds within it a life or death value. Unless hospitals have a stringent back-up policy, there is little option other than paying the ransom so that clinicians and other medical professionals can continue to provide critical medical care.

First-hand accounts from inside attacks confirm how grave the situation can be with medical data being ransomed. If a hospital, for example, were to be attacked, then lives could well be lost in critical departments. If clinicians cannot access the data due to being locked out from it, then they are completely unable to administer further medication or operate. No wonder that attackers are confident in their ransom being paid – and in a timely manner.

The true cost of being locked out

The actual ransom demanded in healthcare attacks is often surprisingly low. The Hollywood Presbyterian attack mentioned earlier was settled for ‘just’ $17,000 dollars. However, this is merely the tip of the iceberg when it comes to the true cost of being locked out of medical data. Settling lawsuits with affected patients, the upcoming GDPR data-loss fines (if data is permanently lost), legal fees and security upgrades mean that the cost can end up multiplying to far more than the ransom itself.

Furthermore, unwanted media attention (remember that Hollywood Presbyterian was front page news the world over) and a huge hit to the affected hospital’s reputation are often seen – not to mention the loss of lives. To avoid such instances, healthcare professionals need to be aware of the impact this could have on them, and seek to best protect themselves against this scenario coming true.

Defending against the threat

Due to the ever-evolving nature of ransomware attacks, the issue can never be completely solved. However there are a number of steps that a healthcare organisation can take to make sure they are protected to the best of their abilities. Here are the five key areas of security that healthcare organisations should focus their efforts on to protect their patients.

  • Keep security front and centre: Information security can’t simply be ‘dealt with’. Hospitals should always assume they are being infiltrated, and therefore should carry out penetration tests regularly. Ethical hackers are a valuable resource for highlighting where weaknesses lie. As an organisation, it is also vital to have plans in place for when an attack hits. These plans must be correlate to the different levels of an attack – including a complete lock-out of your data. This will give some direction and structure if ever the day arrives where your information is under siege.
  • Prepare staff: Ransomware usually takes hold of a network by praying on human error such as clicking on malicious links, so ensuring that staff are aware of the warning signs and know what to avoid or flag can stop many attacks before they have begun.
  • Set up technology to defend: Technology can provide organisations with a further layer of protection. Strategies such as only allowing users access to the information on the network they need (permission-based access), only allowing accepted programmes to work in the network (whitelisting) and not allowing programmes to execute changes even if they make it through the whitelisting process (read-only blanketing) provide several roadblocks for ransomware programmes. Naturally, it is vital to keep this updated and the latest versions of software should be used in order to keep pace with attackers.
  • Replicate and hide away data: In healthcare, built-in redundancies can literally make the difference between patients surviving an attack or not. Remember, hackers will not always hand back the unencrypted data once they have been paid – and it may be permanently corrupted - so ensuring that a backup is in place can be the difference between having to shut down or not.
  • Prepare for the worst: Data insurance is something that every organisation should arrange – and not just those working in the medical field. As previously mentioned, the cost of an attack can quickly spiral out of hand, so ensuring that this amount won’t permanently damage your organisation should be of paramount importance.

Face ransomware on the front foot

The bottom line is that the UK healthcare sector must take a proactive stance against the potential threat that ransomware poses. It is an important start to highlight how severe these attacks can be, but ransomware is not a new phenomenon; merely evolving. But by understanding their significance, and why healthcare is particularly vulnerable to this style of attack, organisations across the UK should draw the battle lines now.

By educating staff, ensuring IT systems are backed up and that they have the right technologies in place, the UK healthcare sector can go a long way to minimising the threat of ransomware before it becomes a full-scale issue within Britain.

Ellen Derrico, Senior Director, Healthcare & Life Sciences at RES

Image Credit: Bacho / Shutterstock