Healthcare is under attack as hackers use changing tools and techniques to access practice and patient data and hold it hostage, according to Beazley, a specialist insurer. Ransomware attacks handled by the company more than quadrupled in 2016, with nearly half of these attacks in the healthcare sector. Beazley expects these attacks to double again in 2017.
During a ransomware attack, the attacker gains access to data in the victim’s computer network and encrypts it, locking the victim out of that data. Next, the attacker demands payment from the victim in exchange for the decryption key. Sometimes, attackers pose as law enforcement and falsely tell victims that they have illegal content on their computers and need to pay a fine. Or, attackers may try to sell anti-ransomware software to their victims on legitimate websites.
According to Beazley, organizations are particularly vulnerable to ransomware attacks during IT system freezes, at the end of financial quarters, and during busy shopping periods. Evolving ransomware variants enable hackers to methodically investigate targeted systems, selectively look at the most critical files, and demand higher ransoms to get them unencrypted.
“The threat from ransomware is not only growing, but evolving to allow hackers to target vulnerable organizations and their most valuable data files and adjust ransom demands accordingly,” said Katherine Keefe, global head of Beazley Breach Response Services. “The sustained increase in these threats in 2016 indicates that even more organizations will be attacked in 2017 and need to have incident response plans in place before they get a ransomware demand.”
Unintended disclosures, when emails or faxes are sent to the wrong recipient or discharge papers are improperly released, represented 40% of healthcare breaches in 2016, which is up from 30% in 2015. However, other types of hacks and malware accounted for only 19% of breaches in 2016, which is down from 27% in 2015, indicating that the industry might be improving its defenses.
Still, the increase in unintended disclosures indicates that formerly small mistakes now can quickly lead to large data breaches. Beazley recommends employee training, up to date IT protection, and an incidence response plan as the best defenses. The company also suggests the use of threat intelligence services and risk assessments focused on identifying and protecting sensitive data to minimize risks.