Ransomware is now a big business, with a security vendor estimating one attacker was able to collect US$121 million in ransomware payments during the first half of this year and netting a profit of US$94 million. It can even be had as a ransomware-as-a-service offering.
But while many fall victim to so-called ‘spray and pray’ attacks, certain industries appear to be targeted. That’s the opinion of Kurt Roemer, chief security strategist at Citrix, who is in Winnipeg today to address a healthcare security workshop run by his company.
“We see that hospitals are specifically targeted because of the sensitivity of data,” he said in a phone interview.
An attacker may may be medical information of a politician or celebrity patient hoping to either sell the data or blackmail the individual, he said.
“One of the challenges is a lot of IT organizations in hospitals have set up their networks to be very flat,” he said. The advantage of such networks is they communicate very effectively. However, internal network security hasn’t until recently been strong enough.
That has to change not only because attackers are getting directly into the networks, but also because health practitioners are increasingly using mobile devices and working remotely, he said. So IT has to segment networks and critical applications so attackers can’t roam around networks.
And while security awareness training is important to encourage staff not to click on links or attachments, hospitals can go one step further and virtualize browsers for added protection.
The increase in ransomware also highlights the need for hospitals to have real-time data backup and recovery capability so even if an attack is successful a device can be rolled back and the ransom won’t have to be paid.
In addition, infosec pros have to keep personal health data off mobile devices that are not owned and managed by the institutions through technologies such as containerization, he said.
There have been headlines this year about large American hospitals stung by ransomware, but Canadian institutions have also been hit. In March the Ottawa Hospital said four computers were encrypted.
The reason why hospitals and health insurers are targets is clear: They are large repositories of data. According to Websense’s senior security product marketing manager a health care record on the black market is 10 times more valuable than credit card information, which can be neutralized quickly by the card issuer by changing cards and/or issuing cards with encrypted chip-and-pin technology.
If a medical record is breached, agreed Roemer, “it’s game over – people know your entire medical history, they know information about you that you’d otherwise not have made public and there’s no way you can pull it back. So the sensitivity of data is many times higher in healthcare institutions. You need to balance that with the directive that patient care of the patient is number one, (so) sometimes security for very good reasons needs to take a back seat.”