In their report on the top connected device threats in 2016, Pwnie Express Surveyed over 400 respondents in the areas of information technology and security. Their results are a warning to all businesses:

• 86% of information security professionals are concerned with connected device threats, with most being more worried about these threats than they were a year ago.
• 40% report that their organization is “Unprepared” or “Not Prepared At All” to find connected device threats.
• 37% cannot even tell how many devices are connected to their networks.

(The Internet of Evil Things)

What is the Internet of Things?

In our recent post on Ransomware and the Internet of Things, we briefly discussed what the “Internet of Things” (IoT) is, and how we expect it to become increasingly vulnerable to ransomware. Examples of the IoT include any electronic device that is connected to the internet: cell phones, pacemakers, electronic components in factories, thermostats, cars, and more.

And we can expect the IoT to grow over the next several years. According to a 2016 report on internet security from Symantec, “In the USA, there are 25 online devices per 100 inhabitants, and that is just the beginning. Gartner forecasts that 6.4 billion connected things will be in use worldwide in 2016, and will reach 20.8 billion by 2020.”

What Kinds of Threats Can Be Expected?

According to Pwnie Express’s report, the major IoT device threats in 2016 will be related to:

• Unauthorized, accidental, or misconfigured access points;
• BYOD and the personalization of (formerly) corporate hardware; and
• Insecure, misconfigured, and vulnerable IoT devices.

Wireless access points can present several vulnerabilities, such as failure to modify default configurations. “Routers, switches, operating systems and even cellphones have out-of-the box configurations that, if left unchanged, can be exploited by individuals who stay abreast of such things.”  Brad Casey, Techopedia.com.

BYOD (Bring Your Own Device) policies can also leave your organization vulnerable. In addition to making a tempting target for hackers, users of mobile devices are often not as careful as they need to be when downloading apps. Even more worryingly, according to the report The Internet of Evil Things, “Most security professionals are not ready to monitor or detect less-common RF and off-network IotT devices, 87% cannot see Bluetooth devices, and 87% cannot monitor 4G/LTE devices in real time. Additionally, 71% cannot monitor off-network WiFi devices in real-time and 56% cannot monitor on-network IoT devices in real-time.”

Preparing to Protect Against Vulnerabilities

While many information security professionals seem to be aware of the threats they face from working with mobile devices and the IoT, surprisingly few seem to be prepared for it.

For example, The Internet of Evil Things states that 35% of respondents say that their organization has no BYOD policy in place. Further, while 65% of the respondents report that they have a BYOD policy, only 50% of them actually have a way to enforce these policies. Obviously, unenforced policies are an invitation to non-compliance and do not provide real protection.

While connected devices offer advantages in terms of flexibility for organizations, they also come with great risks. And with attacks still on the rise in 2016, protecting your business is more important than ever.

U.S. hospitals have been faced with an alarming surge in ransomware attacks this year. In these attacks, hospitals find themselves without access to critical patient information. In addition to seriously threatening patient safety, hospitals themselves are also harmed. Necessary interruptions to services while recovering from the attacks damage organizations’ reputations, and financial costs can include ransoms along with costs associated with liability.

Ransomware attacks are a growing threat. Organizations need to focus on necessary steps to protect their data and to stay current on new security requirements arising to meet this threat.

In the first part of this two-part series, we’ll look at what ransomware is, and what makes hospitals and healthcare organizations particularly vulnerable to ransomware attacks. In the second part, we’ll take a look at solutions all organizations (not just hospitals) can employ to mitigate the risk from these attacks, and also discuss possible future changes to security requirements that may develop in response to the increase of ransomware related cybercrime.

What is ransomware?

In their January 2016 brief, “Hacking Healthcare IT in 2016,” the Institute for Critical Infrastructure Technology refers to  ransomware as “the primary threat to organizations in 2016.” Ransomware is a specific type of malware that works by preventing or limiting users from accessing their systems or data, often by encrypting the data. This kind of malware requires payment of a ransom in order to regain access to systems or data. Of course, even after a ransom is paid, there is no guarantee that access will actually be returned or that data will be undamaged. Some examples of ransomware include Locky, CryptoLocker, and CTB Locker.

Why are healthcare organizations so vulnerable to ransomware attacks?

Within just the past few months, hospitals that have reported attacks include Hollywood Presbyterian Medical Center in Los Angeles, Methodist Hospital in Kentucky, and MedStar Health’s ten hospitals and over 250 outpatient clinics in Maryland and Washington D.C. Officials suspect that additional attacks may have gone unreported by organizations choosing to deal with such matters internally rather than risking the damage to their reputations that publicly acknowledging vulnerabilities can bring.

What makes hospitals such tempting targets for cyber criminals? One reason is that hospitals rely on having fast access to accurate and up-to-date information in order to provide care for patients. This means they are more likely to pay a ransom than other organizations might be, as they are trying to avoid harm to their patients (up to and including death) and of course, lawsuits.

Another less obvious reason is that hospitals have until present been focused primarily on educating their employees mainly in HIPAA compliance, and much less on cybersecurity. This leaves hospitals employees especially likely to fall victim to social engineering attacks such as phishing, which can give ransomware attackers the entry they need.

The older software used by some hospitals can also provide a tempting point of entry for ransomware attackers. For example, a recent alert from the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team warns that certain systems used to automate the tracking and dispensing of medical supplies contain numerous security vulnerabilities.

Additional Links:
TrendMicro – History of ransomware.
Wired.com – Why hospitals are the perfert target for ransomware.
DataBreachToday.com – Security flaws in legacy medical supply systems.