Ransomware is not a new problem plaguing businesses and organisations around the world. Globally, it is estimated to have cost users $24 million in 2015. According to a tally by the FBI, this number soared to $209 million in the first three months of 2016 alone. Often thought to be a concern only for governments and large financial institutions, ransomware has actually spread its reach across industries like a cancer. Last year, hackers crippled three banks and a pharmaceutical company in India in the first known instance of ransomware attacks demanding bitcoins from companies in India.
Cybersecurity in healthcare: A diagnosis
In the healthcare industry, where quick access to data can be a matter of life and death, the cost of being hit with ransomware is significantly magnified. Medical information of high-profile individuals can also be very lucrative. For instance, the health records of Donald Trump and Hilary Clinton were highly sought after during their campaign period. As more countries start exploring a more connected healthcare system, cybercriminals will ramp up their efforts to extract even larger ransoms from healthcare organisations. In fact, companies in healthcare experienced some of the worst cyberattacks last year. A hack at 21st Century Oncology, a US-based cancer care provider, exposed the information of some 2.2 million patients internationally, turning it into one of the worst data breaches of 2016.
While the targets of attack have mostly been large organisations so far, the growing popularity of connected medical devices and fitness trackers is likely to bring consumers into the fray. As the attack surface quickly expands, the future of healthcare is likely to bring significant security challenges.
Five remedies to the cybersecurity problem in healthcare
The hefty security challenges posed by digitisation may seem daunting at first. However, leaders can minimise the risk of attack by making cybersecurity a priority within the organization and proactively taking steps to reduce their attack surface.
1. Performing risk assessments
For organisations unsure of how to improve their cybersecurity posture, performing a risk assessment is a good place to start. This gives the team a roadmap tracing the possible origins of ransomware or other malicious threat actors. With proper understanding of the vulnerabilities and risks they face, management teams will be able to better work with IT departments to design, prioritise and implement measures to address their security concerns.
2. Conducting regular backup exercises
Combating ransomware doesn’t have to be expensive or complicated. Simply regularly backing up data gives organisations less cause to worry when cybercriminals attack and lock up their main systems. IT leaders should also make sure that their backup sources of data are easily retrievable when the need arises to prevent extended downtime. Besides protecting organisations against ransomware, regularly backing up data onto external storage systems also helps organisations guard against the effects of other possible avenues of data loss such as natural disasters.
3. Network and user segregation
Splitting the company network into sub-nets allows organisations to control access to data and applications by clearly grouping them. This limits the range of access provided to both insiders and third-party users such as suppliers and vendors. Proper segregation of a network makes it much more difficult for cyberattackers to locate and gain access to an organisation’s most sensitive information as specific permissions are required and not all the “goodies” will be located in one place. As a guide, companies can look to standards such as the PCI-DSS to provide guidance on what they need to do to set up an effective segmenting system.
Your users’ computer privileges should also be segregated. The “principle of least privilege” should be rigorously applied to users and processes across the organization. Further, people who do have access to especially privileged roles, such as administrator, must be equally disciplined in their use of such roles, only using them when they must perform duties requiring those privileges.
4. Email and spam filtering
Spam has grown greatly in sophistication over the years. Easily delivered via email or other channels such as social media, spam today carries much more than just messages from Nigerian princes or promotional messages about products and services users are not interested in. Many messages appear legitimate and authentic, and are designed to bait clicks from users. More than just being an annoyance, spam can also carry links or files that can make users vulnerable to dangers such as ransomware. Email and spam filtering forms an important part of an organisation’s defense against ransomware, and should be made a priority of IT departments looking to improve security.
5. User education
Despite the best protections from organisations and cybersecurity vendors, users are often the weakest link in a company’s security strategy. Educating employees and customers is a low-cost and efficient method for companies to improve their cybersecurity posture. For example, issuers of medical and fitness trackers should always remind users to change the default passwords on their devices, a point of failure easily exploited by hackers. This simple step can greatly reduce the number of vulnerable access points and ensure a much safer cyberspace for healthcare organisations and consumers alike. Internally, having good staff education policies will also allow companies to reduce the burden on their IT teams, with employees aware of best practices such as flagging suspicious emails to their security staff.
Cyberattacks – already one of the major threats to any organisation today – are not about to go away. A connected healthcare system presents many positive benefits as the increased amount of data collected allows healthcare organisations to make better decisions and provide better care for individuals. Unfortunately, coupled with the growing number of attack points, this also makes healthcare organisations more attractive as targets of cybercrime. What is important is for leaders to understand that prevention is better than cure, and take proactive steps to address symptoms of cyber weakness.