Ransomware Awareness: Mitigating Attacks
According to the Office of Information Security (OIS), part of the Department of Health and Human Resources (HHS), ransomware is a type of malicious software, or malware, that encrypts computer data. This encryption makes the data unusable to the organization. In addition, this data is often stolen and then held hostage until the ransom is paid by the organization. If the ransom is not paid, the data remains unavailable and may be sold to other cyber criminals for their use.
Although ransomware attacks have been around for decades, they are becoming more frequent and widespread. Even the execution of these attacks has progressed from a single individual or cybercrime group to Ransomware-as-a-Service (RaaS). RaaS is considered a “business model” in which ransomware operators develop and keep malware and sell or lease this malware to hackers (aka RaaS affiliates) to be used in ransomware attacks. These ready-made RaaS kits can be used by affiliates that only need to have a limited technical skillset to execute the attacks. However, as part of the RaaS model, these ransomware attacks may be carried out by many groups responsible for specific aspects of the attack.
The motivation for these attacks is simple – monetization. The OIS has identified this modern ransomware attack in which the RaaS model is frequently used as Big Game Hunting (BGH). The goal of BGH is to “focus efforts on fewer victims that can yield a greater financial payoff. Victims are chosen based on their ability to pay a ransom, as well as the likelihood that they will do so to resume business operations or avoid public scrutiny.” Hospital systems, other healthcare institutions, and organizations that hold personal data such as medical records are common targets. Recent ransomware attacks, including Change Healthcare and Ascension Health System, have resulted in a critical disruption of direct patient care and processing of claims.
The Federal Bureau of Investigation (FBI) issued their annual Internet Crime Report for 2023. In this report, 249 healthcare and public health sectors were affected by ransomware attacks. In addition, the number of reported ransomware attacks directed at U.S. hospital systems nearly doubled from 2022 to 2023, indicating that cybercriminals are progressively targeting healthcare institutions. However, only 63% of healthcare organizations have a cybersecurity response plan in place, according to a survey from advisory firm Software Advice.
To promote cybersecurity for the health care and public health (HPH) sector, the HHS released voluntary Cybersecurity Performance Goals earlier this year to help the HPH sector prepare for and respond to cyber threats and attacks. This document includes “essential goals to outline minimum foundational practices for cyber security performance and enhanced goals to encourage adoption of more advanced practices.” Examples of essential goals include mitigating known vulnerabilities, email security, multifactor authentication, basic cybersecurity training for users and strong encryption. Examples of enhanced goals include asset inventory, cyber security testing, network segmentation and third-party vulnerability disclosure/incident reporting.