Why Do Hospital Ransomware Attacks Keep Happening?
Healthcare Ransomware Attacks Increased by 94%
Ransomware attacks on healthcare organizations increased by 94% year over year, according to the 2022 State of Ransomware Report from Sophos. The report is based on a global survey of 5,600 IT professionals and includes interviews with 381 healthcare IT professionals. According to study, more than 30% of healthcare organizations were hit by ransomware in the last year and that number is expected to grow.
Despite the growing awareness among administrators, the most common entry point for hospital ransomware attacks continues to be users accidentally clicking malicious links, visiting insecure websites or engaging with phishing emails, according to 49% of respondents to the Veeam 2022 Ransomware Trends Report.
The problem is significant “un-awareness” among hospital staff who remain unsuspecting and under informed. Mistakes by hospital staff who just aren’t familiar enough with the latest tactics are what cyber thieves count on to gain access to hospital networks.
Devastating Impact: Patient Care, Hospital Reputation, Financial
Although the first thing that comes to mind with the word ransomware is “how much money,” there is much more fall out to be considered by hospital leaders as they identify the best options for risk mitigation against hospital ransomware attacks.
Ransomware attacks have life-or-death consequences on healthcare organizations according to a recent Ponemon Report commissioned by Censinet in which nearly 1 in 4 healthcare providers reported an increase in mortality rates following ransomware attacks. Not only that, 70% reported that longer length of stays and cancelled or delayed procedures lead to poor outcomes. More than one third also reported increased complications from medical procedures.
When these hackers gain access through unsuspecting or even careless hospital staff, they threaten to violate one of the most sacred trusts between doctor and patient – patient privacy. Adam Meyers, VP of Intelligence at CrowdStrike sums it up, explaining that these criminals “will release sensitive information – patient records, HIPAA data – publicly in order to make it very painful for the victim.” The hospital’s reputation suffers major damage when patient data cannot be protected.
As for the financial impact, it isn’t all about just paying the ransom. The average cost of addressing a ransomware attack, including downtime, people time, device cost, network cost, lost opportunity and the ransom paid was US$1.27 million according to the Sophos study.
What Do Healthcare Leaders Have to Say?
According to a recent AAMC article it takes just one employee falling for a fake email to send malicious code speeding through a network in search of additional weaknesses to exploit.
That’s why cyber thieves lay traps for hospital workers, because they know it’s their fastest way into your networks. “Cybercriminals try every hospital, every day; every computer, multiple times a day,” notes Dean Sittig, PhD, Professor of Biomedical Informatics at the School of Biomedical Informatics at UTHealth in Houston.
The need is great to educate staff about telltale signs of phishing emails that hide malicious code, according to Stephen Lopez, PhD, MBA, AAMC Senior Director of Information Security. “To be effective, an education program needs to show staff what fake emails look like,” he emphasizes. Often, such messages include an urgent request for sensitive information, like a password for example to avoid the shuttering of an account, which can get recipients to act before thinking.
Reaching out to employees is the recommended approach of Amar Yousif, MBA, Chief Information Officer at UTHealth in Houston. “It’s about treating some of the smartest people you’re going to meet in your life respectfully and as part of the equation,” he says. “You have to remember that they’re not consumers of your security — they’re part of your security.”
Getting the entire hospital to buy-in is your best strategy for thwarting a hospital ransomware attack.
Your Hospital’s Biggest Risk: Unsuspecting & Under Informed Staff
People making mistakes or exercising poor judgment are how the bad guys get into your computer networks. Ransomware gangs and cyber thieves know that’s the fastest way to infiltrate your secure data sources or compromise your hospital’s mission-critical infrastructure, from the automated refrigerators that store blood products for surgeries to the CT scans that are vital for triaging trauma patients.
According to Verizon’s 2022 Data Breach Report, 82% of breaches are linked to “human element” security weaknesses. This includes employees falling for phishing attacks, getting tricked by social engineering tactics, carelessly divulging their employee credentials, visiting the wrong websites among other activities.
A recent Proofpoint survey shows that 55% of security executives believe that human error and a lack of cybersecurity awareness is the biggest risk for their business, no matter what cybersecurity solutions are in place. Someone’s poor decision or bad judgment due to being unaware of the tricks and traps used by cyber thieves and social engineers – this is the single biggest contributor to ransomware attacks and data theft.
Common employee behaviors likely to result in cyberattacks include clicking on a malicious link or downloading a compromised file (43%), followed by falling victim to phishing emails (39%), intentional leaking of data (35%) and unauthorized use of devices and applications (35%).
IBM conducted a study into the cyber breaches that occurred among thousands of their customers in over 130 countries. One of the key findings was that human error was a major contributing cause in 95% of all breaches. That’s more than 9 out of 10 cyber incidents resulting from employees acting out of ignorance. Since human error plays such key role, addressing it is the key to reducing your hospital’s chances of being successfully targeted.
How Do You Best Mitigate Human Error Vulnerabilities?
According to cybersecurity leaders and experts in human behavior and learning patterns, the most effective way to mitigate cyber risk is to arm your employees with the knowledge they need to recognize potential threats and prepare them to safely respond.
In short, you have to make everyone at your hospital familiar with the tactics, tricks and traps of social engineers, hackers and cyber thieves. And in order to be successful at creating that familiarity, you need to execute an effective communication strategy. Here are the keys to an executing an effective security awareness program at your hospital:
- Provide real-world examples of phishing scam emails, text messages, and other social engineering tactics being used – help them get familiar!
- Educate them without boring them. It’s not a topic they’re passionate about so you have to keep it short, friendly and non-technical.
- Keep a consistent schedule. People learn through repetition so you need a monthly outreach – think of it as a friendly advertising campaign.
- Tell employees what you want them to do when they receive or open suspicious messages. Always remind them who the go-to person is for any questions.
- This last strategy is particularly effective because you’re answering that age-old question: what’s in it for me? Educate them on how they can protect themselves and their families from cyber criminals and scam artists, online schemes, identity theft and other internet hazards. This will make you a trusted resource at the hospital and everyone from the top down will pay more attention to your overall cybersecurity message.
Options for Mitigating Your Hospital’s Risk of Ransomware
In order to drive down the risk of ransomware and data compromise at your hospital you have to take steps to prevent everyone who works there — administrators, doctors and nurses to all the staff who make your facility operate –from exercising poor judgment due to ignorance. Remember, this is what ransomware gangs and hackers are counting on.
You’ve got options for educating your employees. Unfortunately most of them cost a lot, and they involve giving your employees extra work to do such as online training, quizzes or “games” nobody wants to play. Some even involve “testing” your employees by tricking them into clicking fake links and then saying “Gotcha! Stop doing that!”
You could hire someone to focus on security awareness, but that also comes at a significant cost. You probably already view this as a problem for the IT team to handle, but if you think about it carefully you understand why it’s not getting the attention it deserves. There are already a great many other important duties being handled by your IT team on a day to day basis.
Doing nothing is also an option, but it carries a great deal of risk. Risk to your hospital. Risk to your career. In the event of a hospital ransomware attack, you simply can’t afford to not have a risk mitigation program in place.
Here’s an Easy Way to Get Started – A Very Affordable Way
“SecuritySense” is a monthly cybersecurity newsletter for your employees that you can send out at the push of a button.
Our friendly but serious informational approach shows your employees how urgent it is for them to be cyber-savvy so they can protect the hospital, the patients, themselves and their families.
“SecuritySense” answers the important question “what’s in it for me?” by educating your hospital staff on how to protect themselves from identity theft at the same time it shows them how to recognize fake emails that look like they are from the hospital president. They read short, interesting stories about how criminals can hack into a smart-home doorbell camera, as well as hear about social engineering tricks that allow hackers to get access to hospital system passwords.
By blending personal and work security tips together we’re able to capture the attention of your employees. Let’s face it, nobody’s super interested in security issues unless you show them how it affects them directly. “SecuritySense” does just that.
Instead of being perceived as giving them extra work to do, you’ll be thanked for helping everyone in your company become more cyber-savvy at home and at work. Our content is appropriate for the boardroom and the lunch room. Everyone in the hospital will appreciate the content you’re sharing, and everyone will know you take security risk mitigation seriously.
No matter how you slice it, the cost of subscribing to “SecuritySense” is very easy to justify. If you compare it to other technology services, it’s cheaper. If you compare it to the expense you’ll incur from a human mistake leading to an incident, it’s a drop in the bucket. If you run the numbers on what it would cost to hire someone to do something similar, it’s way more affordable to outsource it to us. And finally if you think about it in terms of a per-employee expense, at pennies per employee per year it is a no-brainer!
Some of Our Healthcare and Insurance Industry SecuritySense Subscribers
What Do You Get When You Subscribe to SecuritySense?
On the first of each month we deliver you a digital newsletter with 20 different short cybersecurity awareness posts. These twenty different “micro-training” articles explain things in a non-technical but informative manner and with a friendly voice.
The mix is about 60% work related and 40% personal security related. This ensures that your newsletter is about them and about the hospital, keeping them engaged with your overall security awareness message.
These concise and compelling stories are delivered to you as a PDF newsletter that you can email to all your employees. At the push of a button, your security awareness outreach is done for the month. You also have the flexibility to do more with the content if you like, such as post it to your intranet, print it out, break up the 20 stories and send multiple emails during the month. But you don’t have to – most of our subscribing hospitals simply send out the PDF we provide each month.
You also get a fantastic guarantee. If you need to cancel before your subscription is up we’ll refund you the unused portion of your subscription. See ordering info here
Our Experience in Security
You don’t have to develop your own security awareness communications strategy to get people to pay attention to your message. We’ve been doing this for over 36 years and have developed a proven strategy for engaging and communicating with the average employee. In fact, our first customers back in 1985 were in the U.S. defense industry where security was and remains vitally important and serious. Read more about our content strategy and get an idea of some of the different kinds of articles we provide each month. See more about our content here.
Implement Your Hospital’s Ransomware Risk Mitigation Program – You Could Be Launching it as Early as Today!
Subscribe today and we’ll get the current issue out to you right away. Demonstrate to everyone in your organization your commitment to mitigating the risk of cybersecurity breaches and preventing your hospital from the devastating effects of a ransomware attack.
You can designate anyone on your team to easily send the SecuritySense newsletter out to everyone in your hospital with just the push of a button. See ordering information right here.