A Preventive Approach to Ransomware in the Healthcare Sector

Healthcare organizations of all shapes and sizes—from small offices or clinics to major healthcare systems—are prime targets for cybercriminals. Hackers see a potential payday by crippling your operating systems that collect and store sensitive patient health and personal financial data. But with the right training and sound practices in place, your organization can help avoid ransomware attacks, or minimize the disruption they can cause when they do strike.

In the first five months of 2021, the U.S. Department of Health & Human Services (HHS) identified 48 ransomware incidents against the nation’s healthcare sector. In October 2020, a joint advisory by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and HHS warned that the federal government has “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers,” and that the issue will be “particularly challenging for organizations within the COVID-19 pandemic.”

The healthcare industry presides over an enormous and ever-growing amount of sensitive patient medical and financial data. An outage could have devastating effects, and cybercriminals are counting on that to victimize organizations with the means and motivation to pay ransoms.

“In the current environment, healthcare organizations need to assume they’re active targets for ransomware attacks and need to start putting comprehensive protocols and controls in place to help protect their businesses and patients they serve,” says Lauren Ruane, managing director and co-head of J.P. Morgan’s Middle Market Healthcare group. “Technology and digitization have transformed healthcare in many constructive ways, and as practices modernize, it’s a great opportunity to bolster current tools and infrastructure with an eye toward enhanced security.”

Here are a few areas where health organizations can consider making preventive changes to enhance existing internal protocols.

Start with vigilant staff.

Humans are typically the weakest link in any cyber defense plan. A staff well-versed in understanding social engineering tactics, like phishing or business email compromise, can spot those attempts by criminals and avoid making a catastrophic click that could let malware inside your system.

Training can help your employees avoid risky behavior online, like clicking on unusual links or files or joining unprotected WiFi networks. It doesn’t matter how simple or sophisticated your technology setup is: Every business faces a serious risk because every network has people using the technology—and they’re often the biggest security gap. Conduct regular training and exercises so that everyone in your organization is aware of how criminals can take advantage of vulnerabilities in systems. Find ways to demonstrate how social engineering tactics like phishing require everyone’s guard to stay up at all times. And when new employees or contractors join, make cybersecurity education a substantial part of the onboarding plan.

By designing a culture of security within your organization, the next step is to give your team tools for success. Inside your office, make sure that employees’ personal devices are used on separate networks than your critical systems. Reinforce cybersecurity with informative posters, magnets or labels at desks or in breakrooms. Employ antivirus software to scan emails and websites for malicious links. Since email is the main avenue criminals use for ransomware attacks, encourage staff to use secure messaging tools like encrypted emails when sending information to patients.

Keep copies.

Downtime after a ransomware attack can be devastating to your bottom line, your reputation and especially to patient care.

Keeping regular backups of your data will help you restore affected systems. It’s even better to keep different copies of your backups in different locations, including offsite cloud-based services.

Use backup platforms for health records that are immutable—meaning they can’t be encrypted, changed or deleted whether by you, your staff or the bad guys. If ransomware strikes, the most recent clean immutable copy can get your systems operational quickly.

Patches, please.

Keeping your software up-to-date with the latest security patches will close potential vulnerabilities in your system as they’re discovered.

In leveraging a risk-based approach to patching, your organization can consider several factors to decide if, when and how to implement patches and updates. Those include the location of the system on the network (whether it’s external or internally facing), the type of data it contains, its function and criticality to the business and whether or not the patch itself could disrupt operations. Proper testing of patches before implementation can reduce the chance of disruptions.

Vet your vendors.

A digital health practice relies on third-party vendors to support day-to-day functions, whether it’s through software providers, IT consulting, billing and accounting services, back-office administration, web development, pharmacies, and more. Even if you’re not directly targeted by a ransomware incident, you could see the ripple affects from attacks on your vendors.

Protect yourself by asking your vendors about their data governance, security hygiene, network architecture and incident response plans. Keep the vendors accountable. If a vendor’s security isn’t as tight as yours or you can’t get the information you need, have it addressed right away or seek out alternative vendors that offer the security and transparency you need.

If your office is part of a broader health system or has partnerships with larger health organizations, check to see if those organizations provide cybersecurity resources they share with other healthcare stakeholders.

Align cybersecurity efforts with HIPAA compliance.

Most anti-ransomware practices align closely with the security rules within the Health Insurance Portability and Accountability Act. The federal law provides guidance on preventive measures and requires health organizations to follow rules around managing, responding and reporting attacks to the U.S. Department of Health & Human Services—including reporting data breaches like ransomware attacks. Violations of HIPAA’s Security Rule can result in civil fines from HHS or from state attorneys general offices.

Your organization’s executive leaders and IT staff should develop your anti-ransomware efforts closely with your HIPAA compliance officer.

Key takeaways

• Health organizations are a growing target of ransomware attempts.
• Look carefully not only at your own organization, but at the practices of your third-party vendors and other stakeholders in the healthcare sector.
• Persistent training and proactive security tools like patching reduce the chances that a ransomware attack will be successful.
• Backups of data can help you recover without engaging with the cybercriminals.

Visit our Cybersecurity and Fraud Protection Insights page to learn more about how J.P. Morgan’s experts can keep your organization safe.

^{Disclaimer: The material contained in this document is intended as general cybersecurity awareness. It does not provide a comprehensive list of all types of cyberfraud activities or identify all types of cybersecurity best practices. Any recommendations made in this document are not guaranteed to be accurate or complete. The audience member is responsible for determining how to best protect against cyberfraud activities and for selecting the cybersecurity best practices that are most appropriate for his or her needs.}