Following news that a cyber-attack on a major IT provider of the NHS, Advanced, has been confirmed as a ransomware attack (NHS IT supplier held to ransom by hackers - BBC News), Erfan Shadabi, Cybersecurity Expert at comforte AG, explains further about attacks on healthcare providers:
Healthcare providers and related corporations – such as third-party service providers- are among the most highly regulated organizations in any market. The reason is obvious: they collect and handle some of the most sensitive personal data about an individual. The report that a major IT provider of the NHS has experienced a ransomware attack should trigger alarm bells within any similar provider. The best way to mitigate such cyberattacks is to safeguard sensitive records such as medical information through a data-centric approach. Data-centric methods such as tokenization replace sensitive data elements with tokens that maintain the analytic value of the data while obscuring the actual sensitive information itself. It becomes non-identifying and therefore worthless in the hands of threat actors, while remaining fully workable by the enterprise.
Additionally, Chris Clements, Vice President of Solutions Architecture at Cerberus Sentinel, explains more about the risk of vendors: "This cyberattack is further evidence that all organizations must adopt a culture of security that incorporates risks stemming from the breach of a vendor and strategies for mitigating the worst potential outcomes, both from data loss or exposure and operational disruption. While this affects all organizations, those that provide critical services like utilities or healthcare need to have expanded and redundant contingencies for cyber-resiliency. This is no longer theoretical, we’ve already seen effects from cyberattack that have contributed to loss of life."
Desiree Lee, CTO for Data at Armis: "Cyberattacks can be carried out for a variety of reasons, including credential theft, theft of financial data like credit card numbers, or access to other sensitive files.
Ransomware, however, is unique; it specifically targets the data required for a company to continue to operate. In healthcare this targeted data is often medical records, which means that a patient who comes into the ICU and can’t provide their own medical history could be at risk or receiving the wrong treatment or medicine.
The criminals behind the ransomware use data as leverage, and keep it locked until demands are met. In many cyber attacks, the attack is over once it happens. With ransomware, the initial attack is just the beginning of a long negotiation cycle to retrieve the data required to operate."
Andy Norton, European cyber risk officer at Armis: "Why does it matter that this is ransomware and not another generic cyber attack?
"It matters because ransomware is disruptive and has a negative impact on the everyday functions of society, this hurts the target by creating situations of internal conflict and the potential to weaken an adversaries resolve. In addition, if they can make a quick buck in doing so, that’s all good too."
Sam Curry, chief security officer at Cybereason, said "Healthcare companies and hospitals, in particular, have long been targets of ransomware gangs because they have more money and an urgency to pay. That hasn't gone away in the latest waves, but it has become less visible as new sectors are targeted, including critical infrastructure operators. One could argue that hospitals are part of the critical infrastructure ecosystem already.
"My advice for hospitals, and any organisation, is to not pay if you can avoid it. In some cases, you can't legally pay as with funding terrorism and organised crime, but it's not a good idea to ever pay unless the cost of doing so affects human life, public safety or is existential. You can't pay your way out of ransomware, and as Cybereason's recent global ransomware study proves, companies that admitted paying ransoms were hit a second, third and fourth time by attackers. Sadly, it is often the same criminals doing it. Also, paying doesn't make the ransomware problem go away since nearly half of the organisations don't recover data correctly, and it will become public anyway.
"I've been asked in the past if there should at least be some type of rules of engagement with the cyber criminals with an agreement that they don't attack hospitals, children or charities? Sure, no one should do that, but in the cold arithmetic of profit without accountability or responsibility, no one is off limits. It's a cold business and the hackers are often soulless."