Are Michigan’s health care organizations prepared for an increase in cyberattacks?
Derigiotis said recent cyberattacks in Baltimore and Atlanta resulted in millions of dollars in costs to get systems back up and running.
“In Baltimore, the ransom was $76,000. The city didn’t pay. The fallout was in the millions of dollars,” he said. “Not paying could mean the difference in staying in business or not staying in business.”
However, the FBI doesn’t recommend making payments in response to a ransomware attack. For one, paying doesn’t guarantee an organization will get its data back. Second, paying ransoms only encourages cybercriminals.
Earlier this year, an infamous ransomware gang announced they were retiring because they had already earned $2 billion from attacks. “We have proved that by doing evil deeds, retribution does not come,” they said in a statement.
Instead of paying, the FBI recommends organizations focus on prevention, educating employees and creating a continuity plan in case of a ransomware attack. Experts tell Crain’s, however, each company must make decisions to pay or not to pay based on their own situation.
Derigiotis said cybercrime trends show that Michigan is a top state for consumer identity theft complaints, and Social Security numbers are prized possessions. And the health care industry is a trove of sensitive data: names, dates of birth, medical record or account numbers, treatment and clinical information.
When attacked, Derigiotis said many unprepared companies end up shelling out three or four times the amount of money on correcting the problem than they would have spent to prevent the incursion in the first place. Companies spend thousands of dollars to hire consultants to investigate, analyze databases closely to see what was extracted, and ensure malware isn’t still present that could allow future invasions, he said.
“Most companies that have patient or customer information stolen will pay for one year of credit protection services,” Derigiotis said. “That isn’t nearly enough. It hangs over your life. Offering 12-month credit monitoring is a Band-Aid. Credit monitoring just lets you know your house is on fire. It doesn’t notify you if there is medical fraud.”
Derigiotis said personal information like Social Security numbers ends up on the “dark web” for years and goes for a much higher price than credit card numbers that can be canceled.
“Medical and insurance information can turn into fraudulent billings. Criminals can order prescription drugs or use it to buy durable medical equipment and sell that for a profit,” Derigiotis said.
“I’ve seen cases where hospitals absorb a doctor client base of someone who is retiring and the paper documents are discarded on the street or placed on a flash drive and stolen,” he said. “Most of the problems start with human error.”
Trevor Turner, sales and marketing director with Advantage Technologies, a cybersecurity firm in New Baltimore, said many small businesses don’t have the resources to invest to keep information systems secure. He said companies should spend money on simple things like employee education in the use of emails.
“Companies don’t have the basics and are really vulnerable. They should have guidelines in place for employees, but they don’t,” Turner said. “… They don’t think they will be hacked until it happens.”
Chris Abbott, Adv-Tech’s director of client services, said computer systems should have strong anti-virus software that could prevent ransomware and other cyberthreats from compromising systems. They also should have backup systems in case of attack, he said.
“A lot of companies are backing up hard drives to an external hard drive. That doesn’t do any good because it can infect that as well,” Abbott said. Nowadays, “everything is going to the cloud with offsite backups. It is costly, but a good protection.”
Adv-Tech works with a variety of small businesses, including health care, energy, lawyers, landscaping, hotels, restaurants and financial companies, to advise them how to minimize risks. Each company has its own challenges, he said.
For example, a small physician office with five doctors and 10 employees recently was the victim of ransomware. “They came to us for help after the fact and haven’t been hit since,” said Turner, who said the practice wants to remain anonymous.
Turner said 80 percent of attacks are caused by an employee clicking on something he or shouldn’t have. “Training is so important. We work with employees and management on education,” he said.
Experts say phishing campaigns — where malicious e-mails are sent to employees of targeted companies — often succeed. For example, statistics show that there is a 90 percent chance at least one person will open an e-mail with malware for every 10 e-mails sent out. Moreover, 23 percent of recipients will read the email and 11 percent will open the trouble-making attachment, according to the Verizon Data Breach Report.
Abbott said ransomware software developers are getting more sophisticated in their attacks.
“The next-generation security software is all (artificial intelligence)-based. AI learns and analyzes behavior of what is running on the computer and knows if software opens up and looks for open documents,” Abbott said.
In some recent ransomware attacks, cybercriminals are seeding legitimate websites with malicious code and gaining entry because companies haven’t updated security software.
Legal exposure from hacking, lost or stolen personal data can take various forms, said Mike Hindelang, co-leader of data security and privacy litigation practice with Honigman LLP in Detroit.
They include fines for violating federal or state privacy laws, costs to provide data-monitoring services to customers and lawsuits from affected individuals or business partners, Hindelang said.
“Health care is highly regulated. You have HIPAA (Health Insurance Portability and Accountability Act of 1996), and potentially each of the 50 states have notification requirements if the wrong type of information is disclosed,” he said.
While health care cyberattacks appear to be on the upswing, Hindelang said the numbers may be skewed because health care companies are required to report when they have been hacked.
Ransomware legal exposure has its own costs that usually include expenses to get computer systems unlocked, databases inspected to ensure malware has been removed and then lost business revenue, Hindelang said.
“There certainly have been disputes between companies” over hacking incidents and data loss, he said. “If I had to spend a significant amount of money buying identity theft products and spend time resolving problems, there could be compensation for that.”