Held to ransom: why healthcare is a top target for cyber criminals

Healthcare is the most highly targeted sector in the UK. And yet it is also the sector that invests the most on anti-ransomware technology. Why do we have this dichotomy and what can the sector do to help protect itself in the future?

Ransomware attacks, where computers or data are hacked and taken over until a sum of money is paid, are becoming more prevalent with healthcare a frontrunner for the most hit sector.

According to research from security vendor Sophos which explored key areas of concern such as security breaches, technology usage and attitudes to threats, 54% of organizations were hit in the past year, and a further 31% expect to be victims of an attack in the future. It found that unlike lightning, ransomware can – sadly – strike twice with affected organizations suffering on average two ransomware attacks in the preceding 12 months.

The research, which was conducted by research firm Vanson Bourne, surveyed 2,700 IT managers in 10 countries, also discovered that the propensity to suffer a ransomware attack varies greatly by industry sector.

Healthcare stands out with 76% of respondents falling victim in the past year. At the other end of the scale financial services is the sector least likely to have suffered a breach, although even that industry didn’t escape the attentions of the hackers, with 45% of respondents still attacked by ransomware.

Although both healthcare and financial services hold high-value data, healthcare is often perceived as a soft target, leading to increased frequency of attack. That assumption is not without merit – healthcare tends to have an aging IT infrastructure and multiple patient systems, which leaves security holes, as well as restricted resources for improving IT security. Healthcare organizations are also considered to be more likely to pay a ransom.

However, the level of investment in protecting against ransomware also varies significantly between sectors. Energy, oil/gas, utilities, and healthcare are the industries that have invested most significantly in anti-ransomware technology. They are considered high value targets for criminals, and run on bespoke and quite expensive equipment running on old technology – such as MRI scanners in healthcare.

But healthcare presents an interesting equation. They are the most likely to suffer an attack (76%), and yet are also the most invested in anti-ransomware protection (at 53%, alongside energy, oil/gas, and utilities).

How does this dichotomy play out? In part, it’s because criminals continue to see healthcare as an easy target, so a disproportionate amount of attacks are aimed at the industry. Also, the older technology healthcare relies on (such as the afore-mentioned MRI machines) only run on old operating systems.

Healthcare also tends to fight a battle against limited or restricted resources in this area. A lack of people, hardware, and software lead to patchy security, so even when one part of the organisation has the necessary anti-ransomware protection, it’s not across the board. Malware can still get in.

And there’s also the issue of quality. Not all anti-ransomware protection is created equal. Some options simply aren’t as effective at stopping an attack. It wouldn’t occur to an organisation not to have locks on its doors, but far too many are leaving their electronic equivalents wide open.

Fortunately, healthcare organisations are learning from experience and have chosen to invest in anti-ransomware technology after seeing the harm caused by earlier breaches. They are also starting to understand that protection is about doing basic things well.  Having strong passwords is key, and ensuring that all apps, not just Windows, are patched and up to date. Even stronger security would be to ensure systems require multi-factor authentication – a two-step approach to accessing data.

However, humans are still the weakest link when it comes to security. So all staff must understand the need to be suspicious of links and attachments in emails – remember the mantra – ‘if in doubt, leave it out’.

Training on cyber security across the healthcare spectrum is essential and should be mandatory to make sure everyone from the cleaner to the CEO is aware of the dangers of ransomware. After all, no-on wants to be the weakest link.