Stopping the ransomware tsunami in healthcare

Gordon Morrison, Director Government Relations, Intel Security

There are fundamental shifts occurring in our digital world that are driving tremendous growth and technological advances. While these significant and rapid changes bring opportunities, they also bring significant risks; creating openings for cybercriminals to exploit, and the increased likelihood of security breaches.

The rising threat of ransomware

In February of this year, a California-based hospital hit by a ransomware attack - one of the fastest growing challenges in the security world - found itself facing demands from hackers totalling approximately US$5.77 million. In the end the hospital reportedly paid $17,000 to restore its files and systems, yet it had to endure a potentially far costlier downtime of five working days.

As hackers take advantage of weak and outdated infrastructures across the healthcare industry, such threats are certain to increase. In fact, in the first two quarters of this year there were at least 19 hospitals infected with ransomware, and in the first three months of the year alone Intel Security identified that related group of hospitals generated about $100,000 in ransomware payments.

If nothing else, aside from the financial impact, these attacks can have a crippling impact on a healthcare organisation’s ability to operate and provide a regular and reliable service. Downtime, lost revenue, incident responses, system recovery, audit services and other similar clean-up costs equated to a much heavier financial burden. In some cases, hospital systems were at least partially down for up to 10 days.

This clearly illustrates that in addition to striving to improve efficiencies in the provision of healthcare through technology, organisations must do so alongside a proactive management of risk, and an enhancement of their security.

The perfect storm: outdated infrastructure plus a lack of skills

Investment in infrastructure which safeguards against these growing threats is therefore fundamental. The scale of attacks we’ve seen this year can be due to out-of-date systems which have buckled as new technologies have been bolted-on to existing systems, rather than being added into a fully-integrated architecture.

But perhaps the most telling sign that we are outpacing our ability to manage these rising digital risks is the lack of cyber security practitioners employed within the healthcare industry. As many as 62% of organisations are currently grappling with limited cyber skills. With the average timescale to recruit a qualified cybersecurity professional being three to six months it is hardly surprising that in four years, we will have a shortfall of nearly two million experts to help us tackle the problem.

Changing behaviours

In addition to the infrastructure needs and professional skills required, we need to acknowledge behavioural change amongst the users of technology. With healthcare workers starting to access critical information on the move, organisations now have to contend with workers who don’t just connect to their network through a single device at their place of work. Many now work remotely, using a range of devices and expect uninterrupted access to information in order to carry out their duties. Whilst this indicates an improved level of care at a community level, it also opens up a number of IT security issues which need to be considered as part of a wider investment programme.

The rise in people embracing Bring Your Own Device (BYOD) schemes, and the boom in connected sensors or devices – the ‘Internet of Things’ -  adds further complexity to the problem. In enabling employees to access information on their own devices, deploying policies and technologies to ensure the security of sensitive data is ever more critical. Again, the desire for enhanced healthcare services and patient care, cannot be at the compromise of security.

Fundamental steps to success

To overcome these challenges, healthcare organisations perhaps need to focus on four core areas:

  1. Embrace the complexity – In order to reap the benefits of new technologies and working practices, healthcare organisations need to accept, understand and adapt to the complexity. Ignoring it will lead to potential opportunities for breaches and attacks and a lost opportunity to transform.
  1. Increase trust through clear communication – Appropriate reporting and sharing is essential to improving everyone’s understanding of the problem and the potential impact they can have. Regular reporting and sharing will allow organisations to determine how to adapt to a threat and provide patients and staff with greater confidence that their records will be safe, however, it’s important to not view this solely as a compliance issue.
  1. Make security part of the DNA, not skin-deep – Data and cyber security cannot not be treated as a bolt on to existing systems, it needs to be built in and fully integrated across the entire infrastructure to deliver real value. While needing to be robust, security policies and processes need to be as light touch as possible for users to ensure adoption.
  1. Use technology to reduce resource requirements – The right investment should provide pace, scale and efficiency to healthcare organisations by automating, integrating and collaborating with existing systems via an open architecture and vendor ecosystem.

Gordon Morrison, Director Government Relations at Intel spoke at the Cyber Security in Healthcare Conference at London’s Olympia on Wednesday 28th September