Threat # 2 of the Top 5 Threats Facing the Healthcare Sector: Ransomware

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

The HHS 405(d) Program is a collaborative effort between The Health Sector Coordinating Council (an organization representing the primary healthcare subsectors of direct patient care; public health; health plans and payers; pharma, blood and labs; medical technology; health information technology; and funeral homes and mass fatality managers) and the federal government to align healthcare industry security practices.

The 405(d)Task Group developed Health Industry Cybersecurity Practices: Managing Threat and Protecting Patients, its first official Task Group product and publication.  Health Industry Cybersecurity Practices are given the acronym HICP.

The Health Industry Cybersecurity Practices: Managing Threat and Protecting Patients document has identified the top five cybersecurity threats facing the healthcare sector.

Threat # 2 for the year 2023 is ransomware

What is Ransomware?
The HHS Ransomware Factsheet defines ransomware as follows: “Ransomware is a type of malware (malicious software) distinct from other malware; its defining characteristic is that it attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the attacker who deployed the malware, until a ransom is paid. After the user’s data is encrypted, the ransomware directs the user to pay the ransom to the attacker (usually in a cryptocurrency, such as Bitcoin) to receive a decryption key.”

Over time, ransomware attacks have evolved to include targeted attacks. These attacks are adapted for specific groups or organizations to make them more effective. Once attackers access a network, they use ransomware to restrict access to devices and data until ransom is paid. 

Generally, these attacks are “human-operated.” This means that an actor directs the deployment of ransomware once they have initially compromised the network. Commonly, attackers first leverage social engineering to get access to credentials. Then, they use those credentials to access the network and deploy ransomware.

Ransomware threats can use tactics that start as one kind of threat, and then provide opportunities to attack your system. For example, a successful phishing attack can lead to the installation of ransomware. 

Ransomware often begins undetectably, by running in the background. This stealth running allows attackers to monitor a user and develop an infiltration plan. Using these methods, some attackers have been able to exfiltrate data prior t When the hackers are ready to launch their attack, the victim is surprised, unprepared, and defenseless. Using these tactics, some ransomware attackers have even stolen data before encrypting the data on the systems.

Ransomware can put victims in a no-win scenario. If a victim refuses to pay the ransom, the attacker can threaten to release the information publicly or sell it to other third parties.  On the other hand, if a victim chooses to pay (e.g., pay for the key to decrypt the files), there is no guarantee that the attacker will unencrypt or unlock the stolen or locked data - even if the attacker guarantees that these measures will work.

Some attackers are quite attuned to the victim's financial circumstances, and even tailor the size of the ransom based on the ability of the victim to pay.  Some attackers review a victim's cyber insurance policy (which they have hacked into, of course), and have set the ransom amount to equal the coverage limits. 

Ransomware attacks can have serious financial consequences. This is especially so for small healthcare organizations, who have had to permanently close due to inability to pay (or because making payment exhausted their finances).

One critical strategy to limit the effects of a ransomware attack is to back up files. This way, if attackers delete files, backups can be deployed to keep a practice running.