If Ransomware Hasn’t Hit Yet, It Probably Will
Assume you will be hit with ransomware and plan accordingly. So recommends Sophos, an IT security company that recently published results of a ransomware survey.
The 2021 survey reached 5,400 decision makers across 30 countries in a variety of sectors, including 328 respondents in healthcare. The survey showed that 63 percent of healthcare organizations that were not hit with ransomware last year expect to be a ransomware target in the future. Approximately one-third of the healthcare organizations surveyed were affected by ransomware in the last year.
As we noted earlier this year, ransomware is not only increasing, but it’s getting more ruthless. Some cyber criminals simply publish data with or without a ransom note. The only defense against this kind of attack is better Risk Analysis and Risk Management. The right kind of preparation can both help prevent attacks, and put you in a stronger position to recover if one happens.
Backing Up Data is Essential
When data is not backed up the ransomware threat can be devastating. The survey showed that only 44 percent of healthcare organizations whose data were encrypted by the cyber criminals were able to restore data with backup systems – this is lower than the global average of 57 percent. In healthcare, securing protected health information (PHI) with data back up is required by HIPAA.
Paying Ransom is Not a Solution
Most cybersecurity experts recommend against paying ransom.
The survey showed that about one third of the healthcare organizations admitted to paying the ransom. Don’t expect this to work, however.
According to Sophos:
“what attackers omit when issuing ransom demands is that even if you pay, your chances of getting all your data back are slim. On average, organizations that paid the ransom got back just 65 percent of their data, leaving over a third inaccessible.”
Healthcare organizations that paid the ransom only got an average of 69 percent of their data back, and the rest remained inaccessible.
The FBI and the Cybersecurity & Infrastructure Security Agency (CISA) both recommend against paying ransom. Not only does it not guarantee return of your data, but it encourages cyber criminals to keep attacking others.
Ransomware is Coming
Of those healthcare organizations that were not targeted by ransomware last year but expect to be in the future, 57 percent explained they believe this because they see that other organizations in healthcare have been targeted. Other reasons include the growing sophistication of attackers and known weaknesses in their own security.
There are some who still do not expect to be the target of an attack. Their reasons include that they are confident that their organization’s IT staff have the skills to prevent an attack, and many also believe their anti-ransomware technology will stop the threat.
Prepare, Prevent and Defend Against Ransomware
The blueprint for defense against cybercrime in healthcare, including ransomware, is a strong HIPAA Risk Analysis – Risk Management program.
Advice from Sophos tracks our advice to follow HIPAA Risk Management tactics, which also tracks the FBI and the Cybersecurity & Infrastructure Security Agency (CISA) recommendations.
Sophos recommends using “anti-ransomware technology combined with human experts and deploying layered protection to block attackers from all access points.” Among the layers of protection that can be used, the HIPAA Security Rule requires, among other things, workforce security training, password management, access limitations, and daily data backups.
HIPAA Risk Analysis – Risk Management should part of the culture of all healthcare organizations. After the Risk Analysis is complete (at least once a year), Risk Management becomes part of the daily routine. All staff should be trained in cybersecurity defenses, all risks should be tracked and managed by specific staff responsible for improvements, and senior management needs to understand their responsibilities and support their staff.