Healthcare Systems are Clear Targets of Ransomware Attacks

If your healthcare network was kidnapped, what would you pay to ransom it?

It’s a question one California hospital network answered pretty quickly — $17,000. And it’s one that hospitals in Canada, Kentucky, West Virginia, and two others in Southern California also found themselves struggling to answer.

If a patient’s life was in the balance, what would you pay to access information that could save it? For many, the answer is an easy one — whatever it takes. Which is what makes medical networks such likely targets for cyberthieves.

Unfortunately, the recent spate of ransomware attacks making headlines across the country will only fuel hackers’ eagerness to turn hospitals into prey. And given the known weakness of many medical networks’ email protocols, more will likely fall victim in the future. That should come as no surprise.

Most industries implemented their IT cybersecurity over the course of many years. But “healthcare went digital almost overnight,” writes Niam Yaraghi of the Brookings Institution’s Center for Technology Innovation. According to Yaraghi, “9.4 percent of hospitals used a basic electronic record system in 2008, 96.9 percent of them were using certified electronic record systems in 2014.” And integral to those networks are emails systems, the most likely avenue of entry for hackers everywhere.

While admirable, rapid digital adoption put medical systems at risk, especially smaller ones whose modest IT budgets often precluded their ability to make email security a priority. This evolving history provides the perfect entry point for hackers. And since every hospital employee’s email address offers hackers phishing licenses to take a network hostage, hospitals will need to deploy increasingly robust email security systems quickly, efficiently, and economically.

Ransomware is just one type of scam available to hackers. The FBI has recently issued warnings about the dramatic rise in e-mail scams in general. Between October 2013 and February 2016 alone, American businesses lost more than $2.3 billion to scammers. And email hackers are equal opportunity employers, whose victims range from large corporations to tech companies, to small businesses, to non-profit organizations.

Most email users aren’t savvy to the rich range of tricks available to hackers looking for a way into a company’s network. And being skilled in their craft, they have proven wording, enticements, and similar means to win the trust of unsuspecting recipients who become the hacker’s unwitting accomplices by emailing “warnings” to colleagues, compounding the threat to a company’s network exponentially.

Hackers often include the email recipient’s name, home address, a reference to the company, and even a colleague’s name to gain credibility. Finding nothing out of the ordinary, recipients will click on a link or file, automatically downloading a ransomware file that can quickly lock down a business network which can’t be opened without an encryption key. Paying ransom to get an encryption key is often the fastest way to get life-saving medical information stored on network servers.

It’s clear that for any business in the healthcare arena, robust email security systems aren’t an option — they’re a necessity. And while the FBI tells organizations never to pay the ransom, anyone can see why a hospital might. Fortunately, by establishing the proper systems and security policies, hospitals of all sizes can mitigate the risk of ever being held hostage in the first place.


Originally published at blog.sendio.com.