Keeping up with the evolution of cybersecurity and the threats that are haunting the IT industry across all industries, this text pays special attention to ransomware, as this practice is on the rise in the world of cybercrime. Let's focus on the subject, specifically on the Healthcare sector. We are based on Sophos' annual report on cyber threats, which discusses the continuity of ransomware attacks, the impacts on those who fell victim to these attacks, the ways and costs of remediating an attack.
Due to the Covid-19 pandemic, the significant increase in remote access during the pandemic and, in many cases, the use of BYOD's with access to corporate environments, became vehicles and possible gateways for cyberattacks mainly by ransomware, this is due to to the fact that there were no preparations and a structured form of containment and prevention against malware on unmanaged devices, as the urgent isolation measures forced the availability of immediate access to corporate environments remotely and in many cases without at least the sector IT administrators to know if the device that would gain access to their networks had countermeasures preventing malware, such as an active and reliable endpoint.
The data showed that 34% of those taking part in the survey reported having already suffered some type of attack by ransomware, which is good news compared to 46% of victims in the retail sector, thus leaving the healthcare sector below the average of those who participated in the survey.
This light on this problem is due to the obligations on health organizations to disclose data related to information security given the importance of the sector. Globally, there was a reduction in the volume of attacks compared to 2020, where 51% of victims admitted to having been attacked and criminals were successful in the attack.
Comparing these points with data from other industries, we see that attackers have a much higher success rate in encrypting healthcare data (65%) than the global average (54%). Healthcare organizations are also less successful in preventing attacks than the global average: 28% versus 39%. This low performance can be related to the lack of interest in investing in information security, overload of the IT team or even the lack of a specialized collaborator or partner, and also the presence of legacy equipment that has little or no preventive condition. and combat cyberattacks, thus becoming easy access points for potential intruders.
Healthcare organizations, unfortunately, are one of the sectors with the highest probability of paying for data recovery among all the sectors evaluated, around 34% of respondents admitted that they would pay to recover their data, against 32%, on average, of the interviewees from other sectors. The sector most likely to pay data rescue is utilities, energy and fuel, about 42% of respondents in these sectors admitted that they would pay for data rescue. Another point to comment is the inability of healthcare organizations to recover their data through backups; Globally 57% of organizations that had their data encrypted were able to recover their data, while only 44% of healthcare organizations were able to recover data using backups, the second-lowest rate among all surveyed industries.
What the attackers omit is that even if the ransom is paid, there is no guarantee that the data will be returned or decrypted, only 65% of those who paid to recover their data were successful, and about 29% of the organizations that paid for the ransom, got only 50% of all their data while 8% received the totality of the hijacked data.
While the subject of the agenda is the number of attacks, percentage of data recovery and recovery format, the data is worthy of concern because it directly affects the technical competence of the teams and also the tools available to each team. However, when we shift the focus to the costs that each hijacking can incur for each organization individually or apply the volume globally, we have the exact proportion of damage caused by ransomware attacks. The average amount paid for each ransom globally is $170,000, however, for healthcare organizations this average amount is lower, being only $131,300. Values vary widely and are always considered by the size of the organization and the potential of its financial resources.
When we move to general costs involved in recovering data hijacked by a ransomware attack, considering the organization's operations downtime, lost hours, device costs, lost opportunities and the ransom value, the average among the evaluated sectors is 1 .85 million dollars and for health organizations, this value was 1.27 million dollars. There are several likely factors behind lower healthcare costs. First, healthcare organizations tend to have lower budgets than other sectors, limiting the amount that is available to be spent on remediation. At the same time, in many parts of the world, health is a public service.
In the future of prevention and/or remediation of ransomware attacks in healthcare organizations, the expectations of an attack or even a successful attack is an alarming reality, as 63% of respondents expect to suffer some type of attack. of attack and only 37% report not foreseeing an attack like this. Assessing this variation, we see differences in attitudes and confidence in dealing with a ransomware attack. Among the health organizations that were not hit by a similar attack, but anticipate that they could be attacked, they state that this volume of attacks is due to the fact that as a result of the pandemic, more units of health organizations are targeted by the attackers, thus increasing the percentage compared to years prior to pandemic times.
Assessing all the data, it is understood that despite the growth of attacks and the percentage of their success, healthcare organizations are one of the organizations most attentive to the evolutionary sophistication of ransomware's, and even if a part has not suffered attacks, was certainly influenced by the experiences of others in decision-making regarding the prevention and/or recovery of the hijacked data.
Therefore, it is good practice that some preventive or corrective actions are taken, and therefore we recommend that you keep in mind that, primarily, no sector, country or organization is unaffected by the potential for ransomware attacks, taking into account the prevalence of this attack format. Therefore, the recommendations are as follows:
– Plan, invest and specialize not only in backups but in the prompt restoration of your data; multiple backup copies become costly when the restore time or format is ineffective;
– Use redundancies in your backup copies always in 3-2-1 format, we must always keep 3 copies on different media and preferably one of them is in an offline format, in case of data recovery through the other two is not possible formats;
– Use layered protection. Also, use technology and humans in favor of your success in containing or repairing losses after a ransomware attack, invest in your information security team or provision specialized third parties who can collaborate with your team;
– Understand and leverage the use of AI that has the potential to provide immediate detection and prevention when an attack may be about to happen or as a result of one;
– Avoid paying the ransom, although this is the first option, studies show the ineffectiveness of this action and the expense it generates while your organization is at a standstill;
– Always have a malware recovery plan, because in these cases, prevention is always the best option, as malware infection or data hijacking through ransomware can have external as well as internal sources. Beware!
Source: Sophos (State of Ransomware in Healthcare 2021)