Hackers and cybercriminals who use ransomware have one goal in mind: run malicious code on a system with valuable data, then demand the victim organization pay a ransom, usually in the form of bitcoin. Healthcare organizations are particularly vulnerable to these ransomware attacks, which, unfortunately, show no signs of slowing down. With damages predicted by Cybersecurity Ventures to reach $11.5 billion by 2019, hospitals can't afford to take chances with their security practices, and many health IT leaders are building up their protections against these threats through technical and nontechnical means. However, software tools may not always be enough.
In the majority of successful ransomware attacks, the attackers use deception and social engineering scams to get unsuspecting users within the organization to run malicious code. These can range from phishing to pretexting methods, meaning the attacker pretends to be someone they are not. These types of attacks are frequent and less complex than other cyberattacks, making the attacker's job far too easy and requiring almost no technical or hacking skills. Outside of common security and antivirus software, there are practical steps hospitals can take to combat social engineering scams.
The damage resulting from a successful ransomware infection can be costly for healthcare organizations. Not only can the group be faced with potential data loss and downtime, but they are also susceptible to civil and criminal penalties related to the HIPAA Breach Notification Rule if data is lost or breached. This threat has encouraged hospitals to further increase their investments in digital security protection, which often includes the purchase of additional threat management and protection software.
One area that remains one of the most challenging for IT to control and protect against is the execution of malicious code that makes its way to the end users' mailbox and tricks the reader into giving up their password or clicking on a link or attachment that contains the ransomware. This concern has forced healthcare CIOs and CISOs to consider investing in awareness and end-user education to help fend off social engineering scams and deceptive tactics that trick users into clicking and downloading malicious content.
Attackers continue to come up with various subjects and messaging, such as LinkedIn requests, to get users to click on links in email messages in order to execute malicious code. Users who receive similar notices via email frequently could easily mistake a phishing email for a legitimate one and click on these malicious email messages, infecting their computers and possibly the entire network.
To help end users become more diligent and aware of these new tactics used by cybercriminals, health IT departments will need to focus on increasing their training and education for those users around phishing attempts. This may include showing them examples of social engineering scams and providing them with practical tips to prevent them:
- Be diligent when it comes to opening emails from others.
- Don't open attachments that are either unexpected or from unknown individuals.
- Review the links included in emails that ask to change account information.
- Ensure the computer being used is running antivirus.
- Question unusual emails from known sources asking for account information or money transfers.
- Be aware that there are other methods of social engineering that include phone and text phishing.
- Keep personal information on social media private so it does not get used by attackers.
- Use complex passwords that are not easily predictable to others.
The best defense against attackers using social engineering scams is and will always be awareness. Hospital IT departments have already been investing in security tools for years to help keep their systems protected. But unfortunately, with the increasing volume of phishing attempts and social engineering used by hackers, more emphasis on training and education is needed to ensure end users can differentiate between an email sent by a trustworthy contact and one sent by a cybercriminal.