Downward Trend in Healthcare Ransomware Attacks May be Temporary
19.7.18 securityweek Ransomware
Confirming a trend noted by other researchers, a new report from network security firm Cryptonite notes that ransomware incidents have declined over the last six months.
Cryptonite's Healthcare Cyber Research Report (H1, 18) draws its conclusions from an analysis of 'IT/Hacking' incidents reported to the Health and Human Services Office of Civil Rights (HHS/OCR) between January 1, 18 and June 30, 18, supplemented by its own research.
The report (PDF) notes that ransomware events impacting more than 500 patient data records dropped from 19 in the first half of 2017 to eight in the first half of 18 -- a decrease of 57%. At the same time, however, the number of patient records (ePHI) breached in the first half of 18 has increased from 1,674,793 in the first half of 2017 to 1,928,432 in the first half of 18.
The implication is that while ransomware is not currently either the most favored or most successful method of attacking the healthcare industry, the attraction of patient record data is as strong as ever.
"Medical records," explains the report, "are prime targets, as this data is highly prized to support identity theft and financial fraud. Medical records are an attractive commodity on the dark web where they demand high premiums from criminal purchasers."
Cryptonite believes that one of the reasons for the decline in ransomware is general improvements in healthcare security. "Customers have started to add micro-segmentation to networks, as well as specialized software to address ransomware threats. In general, in the largest hospitals, new Zero Trust technologies have been added to the existing mix of defense in depth technologies to expand and harden the defensive perimeters."
However, it suspects that this may be only a temporary respite. "We do believe that ransomware still presents a formidable threat to healthcare and expect new variants, such as AI based malware, to present very difficult challenges to healthcare institutions later in 18 and into 2019."
At the beginning of 18, MIT Technology Review published 'Six Cyber Threats to Really Worry About in 18'. One of these is the weaponization of artificial intelligence. Hackers, it suggested, are "likely to use AI to help design malware that's even better at fooling 'sandboxes', or security programs that try to spot rogue code before it is deployed in companies' systems."
It is the potential weaponization of AI to support ransomware that Cryptonite feels might fuel a resurgence of ransomware attacks over the next year.
In the meantime, Britton White, security & HIPAA compliance advisor at Fortified Health Security, fears that any reported decline in ransomware is likely to give a false sense of optimism -- and potentially lead healthcare organizations to relax their vigilance. "I've not seen anyone address ransomware in their security training and awareness program or disaster recovery plan," he told SecurityWeek. "In the state of Tennessee just two weeks ago, a breach notice was sent out to thousands of people due to a local Memphis organization getting hit with ransomware. Adding to it, they're a business associate to a number of major hospitals in the area, so they had to be notified as well. It's a huge mess."
While the number of ransomware attacks has decreased over last year, the number of breached patient records has grown from 1,767,955 in the second half of 2017 to 1,928,432 in the first half of 18 -- an increase of 9.08%. "The positive trend in reduction of the use of ransomware is overshadowed by the continued high volume of major attacks," says Cryptonite. "Healthcare insurers, hospitals... and a broad variety of other important health entities such as surgical centers, skilled nursing facilities, urology centers, vision surgical centers, cancer treatment centers, MRI/CT-scan centers and diagnostic laboratories fall victim to these attacks every month."
But White points out that these statistics are official numbers only. "Bottom line is, ransomware continues to be a huge problem for all healthcare organizations. How many healthcare organizations haven't reported being hit with ransomware? I'd imagine they'd prefer to remain off the radar as much as possible," he told SecurityWeek. "Everyone needs to remain vigilant and ensure they have the ability to recover as quickly as possible if/when they get hit."
Rockville, Maryland-based Cryptonite emerged from stealth mode in October 2017. A spin-off of Maryland defense contractor Intelligent Automation (IAI), Cryptonite is led by President and CEO Michael Simon, and Justin Yackoski, CTO and former lead researcher at IAI.