Dive Brief:
- Targeted ransomware SamSam continues to pose a serious threat to healthcare organizations, and recovery can be difficult and costly, cybersecurity firm Symantec reports.
- Of the 67 organizations hit by SamSam this year, 24% were in healthcare and more than half were in the U.S. A handful occurred in France, Portugal, Ireland, Israel and Australia.
- SamSam users gain access to an organization's network and spend time mapping out the system, often using legitimate network administration tools, before encrypting computers and demanding a ransom. Getting the attackers to decrypt all computers can cost tens of thousands of dollars, Symantec says.
Dive Insight:
SamSam attacks have been increasing. Among the healthcare organizations SamSam targeted this year are Allscripts and Hancock Health.
Healthcare is a popular cybertarget for a number of reasons. Many organizations use legacy equipment that runs on old and unsupported operating systems, failure to implement patches and updates leaves systems vulnerable and ongoing consolidation within the industry can expose cybersecurity differences. And then there are patient health records replete with personal data that could be sold on the Dark Web.
According to a Ponemon Institute analysis for IBM security, healthcare organizations had the highest breach-related costs of any industry at $408 per lost or stolen record — nearly triple the cross-industry average of $148.
When successful, a SamSam attack can disrupt operations and potentially destroy or alter vital business information, resulting in lengthy and costly cleanups. And paying a ransom is no guarantee attackers will decrypt the hijacked computers. Symantec warns that hackers may not send a decryption key or could implement the decryption process in a way that damages files.
The firm recommends following cybersecurity best practices, including — but not limited to — backing up important data.
Cyberthreat experts recommend organizations use a human-machine teaming approach to hunt down cyberattackers before a breach occurs. Key components of a successful program include beefing up staff education and security teams, deploying the latest firewalls and web gateways and creating early warning traps to draw attackers out of the shadows.
"It really is about finding the basic doors unlocked, the windows which have been not fully closed in the environment," Vincent Weafer, COO/CTO at TriagingX and former vice president of McAfee Labs, told Healthcare Dive in an earlier interview.