Ransomware is on the rise. The number of enterprises being forced to pay criminals to decrypt their files is growing every day. This trend can be particularly worrisome for hospitals, which have come under constant fire from ransomware attacks in 2016.
Hospitals are easy marks for ransomware for two reasons:
1) Hospitals rely on real-time information from patient records to provide critical care. As a result, they will typically pay the demand rather than risk disruption or delay of care.
2) Hospitals typically have the same file share and depository for all systems – including patient health information (PHI) – so all it takes is for one employee to be fooled and files are locked across the entire organization.
As many as 75 percent of U.S. hospitals could have been hit with ransomware in the last year. What’s more disconcerting is that some 50 percent of hospitals said they are unsure or have no way of knowing if they managed to find ransomware on their enterprises.
For those organizations, the price of recovery can be very high. When a hospital is infected with ransomware, the decision to pay the ransom is determined by a number of questions:
- How quickly can the hospital implement their business continuity plans?
- When was the last back up?
- What’s the scale of the attack?
- What files are being encrypted?
- What’s the risk to critical patient care?
In many instances, attackers are not demanding huge amounts of money, but the risk and liability associated with being infected go way beyond the price of ransom. Hospitals need to take into account the cost of disruption, lost productivity, the money needed to investigate IT systems, and the cost of infrastructure improvements to prevent future infections.
Additionally, all healthcare organizations, covered entities and business associates adhere to HIPAA/HITECH standards and many have PCI DSS implications. The harsh reality is that if an organization is breached, it is out of compliance.
The fines and penalties associated with compromised PHI are monumental. Add potential lawsuits into the equation and the financial demand of the original ransom fee becomes a mere footnote in the attack.
Detection and Response
Organizations affected by ransomware are increasingly leveraging pattern-based threat detection to provide reliable visibility into ransomware variants by looking for behaviors and actions that are indicative of an attack. With such an approach, a security team can be alerted of a potential ransomware attack that’s taking hold of their enterprise, isolate the host and stop the attack before it spreads.
These forward-thinking organizations have the ability to continuously record and centrally store all endpoint activity, including: network connections, process trees, file and registry modifications, file executions, and copies of executed binaries.
This type of visibility provides security practitioners with full root cause analysis so they can make intelligent decisions on how to improve security posture to prevent future attacks, instead of blindly re-imaging machines or deleting malware and hoping for the best.
To learn more about how Carbon Black can help prevent ransomware attacks, click here.