The idea of ransomware is frightening enough, but in the healthcare industry, not having access to patient information puts lives on the line. Ransomware is the practice of a cybercriminal holding data hostage, eliminating access to the information. The files are encrypted and only after paying the ransom will the victims be given the decryption key to access to the files. In many cases, paying the ransom does not even guarantee the criminal will return the data.
A 2018 Verizon Data Breach Report states that ransomware is now the #1 type of malware. 2016 was one of the worst years for cyberattacks among healthcare providers as they were the victim of 88% of ransomware attacks. Although there was a slight decline in the following years, a member of the Booz Allen cyber threat intelligence team stated that the attacks have gained momentum and there will be an upswing.
Effects of An Attack for Healthcare Entities
CNN reported that in 2019, a network of Alabama hospitals had to stop accepting new patients due to a ransomware attack. This is only one of the negative effects that come from being a ransomware victim. Other negative effects include:
- Loss of Proprietary or Personal Information
- Disruption of Regular Operations
- Financial Loss
- Tarnished Reputation
The cost of a ransomware attack for hospitals varies depending on the size and the cybercriminal on the other end. According to healthitsecurity.com, a hospital will pay $429 per record. This figure includes the incident response, legal, and public relations expenses that are required following the attack.
A ransomware attack may be highly publicized in the news resulting in damaging and costly results. On top of that, the Office for Civil Rights (OCR) may impose additional HIPAA penalties that can reach the millions-level depending on severity.
A ransomware attack may fall under the second tier penalty, in which the covered entity knew or would have known of the violation, but did not act with willful neglect. This level results in $1,000-$50,000 per incident up to $100,000 per year. Having a hardware encrypted storage device such as the SecureDrive acts as a level of defense against having to pay violation fees. The device prevents against unauthorized access and safely stores the data, meaning the hospital is prepared for an attack such as ransomware.
Preventing a Ransomware Attack
There are several ways an institution can protect themselves from a ransomware attack. These methods are good practice for not just those in the healthcare industry, but to any business with data that needs to be protected. Prevention starts internally with the proper training and education of your employees.
One of the common causes for cyber attacks such as ransomware is the lack of proper training in security measures and use of secure technology. There needs to be proper cybersecurity training to ensure employees understand the severity of losing data like protected health information (PHI). A base level for learning ensures employees of any level and background can understand the technology used for data protection.
In addition to training, the best practice is to use a hardware encrypted storage device like the SecureDrive product line. The devices are plug and play and OS independent to work across all systems. They are the ideal way to protect against malware is to download files to a SecureDrive because it has built-in antivirus running on the device. When downloading, the drive would prevent any file with ransomware or malware from being copied.
The SecureDrives are ideal for healthcare and can easily be integrated into an existing workflow. A physician-owned hospital has already implemented the SecureUSB BT into its everyday operations and commented on the simple set up and use of the device to protect data.
Other prevention strategies include:
- Updating security patches on software and operating systems
- Monitoring system and data access
- Implement strong passwords
- Have a backup of your data
Protection Through Encryption
While there are preventative measures to take, an intelligent cybercriminal will be able to launch an attack if they can expose just one security flaw. Having full-disk encryption is vital to protecting PHI.
An article on Security Intelligence said, “If the data is encrypted and unable to be decrypted without the proper authentication and authorization, however, data exfiltration is blocked even though the encrypted bits may be accessible to the attacker. This basic layer of protection gives you the peace of mind that even if malware or ransomware gets to your data, it is safe from unauthorized use or disclosure.”
The SecureDrive product line offers exactly that: peace of mind that your files are completely protected from unauthorized access. These storage devices have Military-Grade AES256-bit XTS encryption to eliminate PHI data leaks and keep data encrypted at all times. The BT models can only be accessed through a mobile app and also have authentication through biometric indicators like facial recognition and fingerprints.
Additionally, an admin on the device can view which of the drives have been accessed, and by whom, thus monitoring data access regularly. The drives themselves are OS independent to work on any system with a USB port. If ransomware affected the hospital’s systems, the data is protected on a device that can be used elsewhere to ensure patient care.
SecureDrives are General Data Protection Regulation (GDPR) and HIPAA Compliant to easily fit into an existing workflow. With the threat of ransomware running rampant, it is not a matter of “if” you are hit, but a matter of “when” you are the next target. The healthcare industries need a secure way to protect themselves and their patients in case of a ransomware attack.