Ransomware: A persistent threat in healthcare

Almost 70 per cent of the attacks seen in healthcare is reportedly ransomware.

October 14, 2019 Deepa Narwani, Editor

A recent report discovered that the potential value for a patient healthcare record on the Dark Web is over a thousand dollars. Alarmingly, the latest Mimecast Email Security Risk Assessment (ESRA) found that one in every 350 emails received by the healthcare industry were impersonations, compared to the average of one in every 4,290 emails for other industries.

Moreover, Ponemon Institute’s 2018 Cost of a Data Breach Study reported that “for the eighth year in a row, healthcare organisations had the highest costs associated with data breaches, costing them US$408 per lost or stolen record, nearly three times higher than the cross-industry average (US$148).” Furthermore, Black Book Market Research found that the overall impact of cyberattacks on hospitals and healthcare systems is estimated to be nearly six billion per year.

Everybody uses emails. However, healthcare is like many other industries that haven’t invested or taken cybersecurity seriously over the years, Jeff Ogden, General Manager – Middle East, Mimecast, highlighted in an interview with Arab Health Magazine.

He said: “An email leak or a data breach has reputational impacts, as well as risk to individuals. You can’t change records in healthcare as it includes personal information and health data that can be used to create targeted cyberattacks.”

Ogden stressed that almost 70 per cent of the attacks seen in healthcare is ransomware. “Losing records or ransomware means that perhaps a procedure or an operation that was planned for the day couldn’t take place. Or there was a process of recovery that delays the operation, which could impact revenue and reputation,” he explained.

An email leak or a data breach has reputational impacts, as well as risk to individuals.

The Middle East and the UAE have invested heavily in healthcare. It is a hot spot for medical tourism and many overseas brands and institutions are present here along with local government institutions. According to Ogden, these factors have made the healthcare industry a big focus in the region, however, it is still a bit behind in putting the appropriate technologies in place to secure the infrastructure.  

Healthcare is reportedly the only industry where the predominant threat of a data breach is internal staff. “For example, one of the things that happens is that consultants can often be sub-contracted by several institutions. Sometimes it’s easier for them to email records, either to the patient or to themselves or other consultants for additional information, making it extremely complex to control those patient records,” he explained.

The consultants have to move records around and are instructed that these have to be online, protected and encrypted, and sometimes burnt to a CD. However, that doesn’t always happen as sometimes patients insist that they can’t collect their records and ask for it to be emailed. And once it’s outside the system, it is out of the control of the facility.

Ogden said: “Mimecast’s ESRA measures the level of security the organisation has in their emails. About 11 per cent of malicious emails come through a typical organisation. In healthcare, we are seeing that it is over 16 per cent and it is a big number. The risk and cost of a breach in the industry are significantly higher.”

To combat this situation, Mimecast is doing a lot of work to educate users and have restricted what they can send in and out. “We are teaching people to understand the difference between a legitimate email and one that isn’t. We do a lot of education and have the Mimecast Awareness Training (MAT) where we can teach people to look for signs such as how the header, content and subject for suspicious emails can look like. Everyone across the board gets training. Our services are also Health Insurance Portability and Accountability Act (HIPAA) and GDPR compliant. We also do two-factor authentication that makes the system far more secure,” he concluded.

About 11 per cent of malicious emails come through a typical organisation. In healthcare, we are seeing that it is over 16 per cent and it is a big number. The risk and cost of a breach in the industry are significantly higher.”

Jeff Ogden