- A third of healthcare organization employees who have experienced a ransomware attack said it was not the first time their organization had been victimized, according to a new Kaspersky Lab report.
- The cybersecurity firm commissioned Opinion Matters to survey 1,758 employees of U.S. and Canadian healthcare organizations. Among those reporting ransomware attacks, more than 80% admitted knowledge of up to four such attacks. In fact, 78% of U.S. respondents and 85% of Canadian ones said their organization had experienced up to five attacks.
- Among health IT employees, 27% said their organization had experienced a ransomware attack within the past year.
Cybercriminals see a potential treasure trove in personal health data and have stepped up malware and ransomware attacks in recent years to access it, disrupting services and threatening to sell information on the darknet. The May 2017 WannaCry ransomware attack froze computers at hospitals in the United Kingdom and affected businesses in 104 countries worldwide. Not far behind was another virus, a strain of Peyta, which spread across Europe before hitting U.S. targets
According to HHS, more than 110 hacking and IT-related incidents affecting 500 or more people have occurred in U.S. healthcare organizations this year. A Proteus analysis put the number of patient records breached in the third quarter of 2018 alone at more than 4.4 million.
"Healthcare companies have become a major target for cybercriminals due to the successes they'd had, and repeatedly have, in attacking these business," Rob Cataldo, vice president of enterprise sales at Kapersky Lab, said in a statement. "As organizations look to improve their cybersecurity strategies to justify employee confidence, they must examine their approach. Business leaders and IT personnel need to work together to create a balance of training, education, and security solutions strong enough to manage the risk."
When it comes preventing cyberattacks, organization size can make a difference. Nearly eight in 10 employees at large enterprises and three-fourths of those at small to medium businesses said they would report a suspicious email to their company's IT teams, compared with 57% of workers in very small businesses.
Roughly a fourth of all respondents expressed confidence in their employer's cybersecurity strategy, but just 14% believe their organization has adequate cyber controls for connected medical devices and 11% said better security was needed for when employees work remotely.
Employees top reason for wanting cybersecurity measures is to protect patients (71%), following by protecting organizations and employees (60%) and job security in the event of a cyber incident (31%).