The threat of ransomware is rapidly evolving in not only sophistication but prevalence. Most recently, details have come to light, exposing the extent of the ransomware attack against Ireland’s Health Services Executive IT systems, affecting 250 systems and costing upwards of €100 million. Although ransomware attacks have been an emerging trend for several years, the instances of such attacks have increased dramatically over the past 12-18 months.
Ransomware
Ransomware is a type of malicious software or malware that is used to encrypt files owned by a victim until a form of ransom is paid. This type of attack exploits both technical and operational vulnerabilities, typically using social engineering techniques via email. This can include focused attacks termed spear phishing. While traditional phishing attacks are non-personalised attempts to gain information or to place malware, spear phishing is a targeted attack. In many instances, the target of such an attack may be well researched to assist the attacker in crafting a convincing request. This may involve a seemingly innocuous email received from an account purporting to be a trusted party such as a colleague or customer.
Magellan Health breach
Although the exact details of the HSE attack are not yet known, a similar attack occurred in April 2020, targeting US-based Magellan Health. Data under the control of Magellan Health was exposed after an unauthorised actor gained access to Magellan’s system through a spear phishing email. Using stolen login details, the attackers were then able to gain access to the organisation’s network servers. After a full investigation into this breach, it was identified that records relating to almost 365,000 patients and employees were exposed. These records included sensitive information, such as medical files and social security numbers.
Rapidly growing threat
According to a recent report by Corvus Insurance, ransomware attacks against healthcare providers have increased by 75% in 2019 alone. Corvus predicts that these figures are set to almost double in 2020, which is reflected in the data released by the US Department of Health and Human Services.
The US Department of Health and Human Services data shows that in 2018 only 35 breaches were reported by healthcare companies caused by hacking and ransomware. This figure rose to 193 in 2019 and at the midpoint of 2020, this figure currently sits at 144. Year on year, the percentage of incidents, and in particular incidents involving email, has steadily increased.
| Reported Hacking/Ransomware Breaches | |||
| 2018 | 2019 | 2020 | |
| Hacking/Ransomware incidents | 35 | 193 | 144 |
| % involving email | 51% | 59% | 61% |
The targeting of healthcare in crisis
In June 2020, we spoke with Philipp Amann, Head of Strategy of Europol’s European Cybercrime Centre (EC3) who highlighted how cybercriminals are exploiting the COVID-19 crisis and in particular targeting the healthcare sector. It is clear that the ramping up of reported attacks in the last 12 months can be linked to the additional vulnerabilities caused by the pandemic.
The threat to healthcare operations exists partly due to the extremely sensitive and vital nature of the data held. If this data becomes unavailable or disclosed, this may lead to consequences of great severity to the data subjects concerned.
Although the healthcare sector is facing numerous challenges going forward, due to the rapidly increasing numbers of attacks, we advise that some simple but important measures can be implemented and developed. These include:
- a rapid response plan;
- network vulnerability scanning technologies;
- robust email scanning and anti-virus software;
- two factor authentication; and
- (most critically) sufficient and effective training for all staff.
Conclusion
While it is not possible to eliminate the risk of cyberattacks, reviewing and implementing preventative measures at this time is advisable, considering the level of risk and the value of the data healthcare organisations process. Many of the preventative measures listed above can be implemented without disruption to service delivery and at a relatively low cost, considering the potential impact of large scale ransomware attacks.
However, the most impactful defence against this type of attack are your people. An appropriately delivered training and awareness initiative can assist staff in identifying potential ransomware attacks in their day to day activities.
Trilateral’s Data Protection and Cyber-Risk Team has significant experience supporting organisations in respect of privacy by design and default. We offer a range of data governance services, including vulnerability scanning, audit and assessment services, as well as robust training programmes. For more information please feel free to contact our advisers, who would be more than happy to help.
