"How much is your data worth to you?" is a question that cyber criminals have been making millions from. Ransomware is a variety of malware that holds your digital information (or assets) hostage and demands payment for release. This activity has seen a rise in popularity in the past few years and made headlines around the globe.
Although this isn't the first wave of ransomware proliferation, the technique has been used for decades, it may be the largest and most dangerous yet for several reasons.
First, the sheer number of ransomware programs being created by novice and expert criminals alike increases the likelihood that your computer system will suffer an attempted attack. The sheer amount of ransomware in the wild also proves difficult for anti-virus programs to keep up with.
Second, the sprawling variety of ransomware infection methods means that people must constantly become aware of new attack vectors while trying to live and work in a fast-paced world. Here are just a few examples:
- Malicious advertisements on "secure" websites (i.e. websites using HTTPS)
- Attachments to seemingly legitimate emails (phishing)
- Fake security warnings and alerts
- Fake copies of trusted programs propagated through file sharing websites
Third, ransomware is becoming increasingly sophisticated. As discussed, many methods encrypt your data and then threaten to destroy the private (decryption) key if your payment isn't made within a certain deadline.
Ransomware encryption algorithms are getting stronger and the decryption keys are less likely to be discovered to regain control of your data as they were in the past. In short, the "Bad Guys" are getting smarter; when ransomware is done well and adequate preventive measures and incident response procedures aren't in place, the choice is exactly what the extortionists want-pay or lose it all.
Heretofore, there are no documented cases where ransomware has led to the injury or death of a patient. Unfortunately, this will happen sooner rather than later. In the ransomware attack in Melbourne Australia the bad guys allegedly started changing patient data until the ransom was paid. For the U.S. healthcare industry, ransomware takes HIPAA compliance out of the "necessary evil" realm to an issue front and center with respect to patient safety. There is simply no going back to the good 'ole days of HIPAA where the dirty little secret was the HIPAA was an unenforced paper tiger, with a maximum penalty of $25,000.00. This is simply not your Daddy's HIPAA anymore!
Our May 2016 HIPAA Survival Guide webinar will focus on the current and emerging trends in ransomware. We will discuss its nature, different types of ransomware, the variety of methods extortionists use monetize it, and proactive measures and incident response best practices that organizations can take to prevent and mitigate the harm ransomware can cause. The webinar will also analyze implications for HIPAA's Security Rule and, in particular, the Breach Notification Rule.