Healthcare and finance companies have a lot of valuable information that malicious attackers place a premium on. They have the most to lose – the health and finances of the public are sometimes at risk, so when a breach happens in healthcare and finance, it can mean serious consequences. A case in Germany where a hospital patient died as an indirect result of a ransomware attack is an extreme example, but it did not bode well if trends continued. Then the COVID-19 pandemic hit.
It wouldn’t be far-fetched to say that healthcare organizations and medical centers are under the most strain. This prompted many hacker groups to say “No More Healthcare Cyber Attacks” during the COVID-19 crisis, but not everybody is on board. Bad actors are exploiting the pandemic to compromise the healthcare infrastructure and demand hefty ransom to restore functionality.
“Societal perception leads to a double standard characterized by: “Everyone understands that banks occasionally get robbed, but digital banks better be perfect.” We feel sorry for the employees of a bank who are present when a criminal says, “fill the bag with money.” But when a digital bank experiences a loss, everyone wants to know who made a mistake.” – Gartner
The COVID-19 pandemic has also caused a jump in attacks on pharmaceutical development companies – where vaccines and treatments are being developed. According to the Department of Homeland Security’s Computer and Infrastructure Security Agency (CISA) “We are seeing adversaries that are targeting our pharmaceutical companies, pharmaceutical research, laboratories, testing, and really out into the future manufacturing of the vaccine systems and the distribution of vaccines.” The race for the vaccine is a largely nationalist effort, many nations are willing to engage in cyber warfare to achieve their goals.
But the finance and banking industry has its own problems to consider. The entire world, individuals and enterprises, have been increasingly reliant on online banking and fintech offerings to meet their financial requirements. Cyber-criminals are taking advantage of this fact to steal critical data of users who have come online to conduct remote transactions.
Cost of a Data Breach
It takes an average of 279 days to fully contain a breach but responding as a company takes even longer and costs continue to mount even in the years following a major breach. Malicious attacks are always the most time-consuming and costly to contain. (Source: Infosec Institute) Data breaches cost companies a lot of money and these losses fall into four general categories:
- Detection & Escalation: 31%
- Notification: 5.4%
- Post-Breach Response: 27.3%
- Lost Business: 36.2%
What does it actually cost? The average cost of a data breach in the United States comes in around $8.19 million. Even greater costs were incurred from data breaches in industries with more stringent data protection regulations. With these regulations come fines, and finance companies and healthcare take the brunt of the damage:
PCI Fines (companies dealing with credit card data):
- $5,000 – $100,000 per month, depending on the size of the business
HIPAA Fines (companies dealing with healthcare and medical records):
- $100-$50,000 per violation with a max penalty of $1.5 million per year for violations that are identical
New regulations - say no to ransomware payments
With cyber attacks on the rise, two U.S. Treasury Department components, the Office of Foreign Assets Control (OFAC), and the Financial Crimes Enforcement Network (FinCEN) have issued advisories and possible sanctions on companies related to ransomware attacks.
Ransomware is a form of malicious software designed to block access to a system or data. The targets of ransomware attacks are required to pay a ransom to regain access to their information or system, or to prevent the publication of their sensitive information. Ransomware attackers usually demand payment in the form of cryptocurrency, which can be more difficult to trace.
The OFAC advisory focuses on the potential sanctions risks for those companies and financial institutions that are involved in ransomware payments to bad actors, including ransomware victims and those acting on their behalf, such as “financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response.” OFAC stresses that these payments may violate US sanctions laws or OFAC regulations, and encourage future attacks. Any payment to those organizations or their digital currency wallets or addresses, including the payment of a ransom itself, is a violation of economic sanctions laws regardless of whether the parties involved in the payment knew or had reason to know that the transaction involved a sanctioned party.
FinCEN’s advisory encourages entities that process payments potentially related to ransomware to report to and cooperate with law enforcement. According to FinCEN, ransomware attacks are growing in size, scope, and sophistication. The attacks have increasingly targeted larger enterprises for bigger payouts, and cybercriminals are sharing resources to increase the effectiveness of their attacks. The demand for payment in anonymity-enhanced cryptocurrencies has also been on the rise. The FinCEN advisory also reminds financial institutions about their obligations under the Bank Secrecy Act to report suspicious activity, including ransomware payments. A financial institution is required to file a suspicious activity report (“SAR”) with FinCEN if it knows, suspects, or has reason to suspect that the attempted or completed transaction involves $5,000 or more derived from illegal activity.
Can finance and healthcare industries get a break?
FinCEN recommends “[p]roactive prevention through effective cyber hygiene, cybersecurity controls, and business continuity resiliency” as the best ransomware defense. The advisory lists numerous red flags designed to assist financial institutions in detecting, preventing, and ultimately reporting suspicious transactions associated with ransomware payments, as well as some ways to spot them. Open intelligence is a key source FinCEN recommend for information about cryptocurrency and ransomware attacks. As healthcare and finance grapple with the mounting threats, growing costs, and accountabilities, security professionals are facing huge hurdles. Caught between a rock and hard place, many organizations are looking for new ways beyond defense and including proactive intelligence activities involving open sources of information.
Media Sonar OSINT Threat Detection & Investigation is a tool that healthcare and financial security teams should include in their security arsenal to help prevent ransomware attacks. With automated threat detection and top of the line investigative capabilities, our platform can help your security team proactively identify when a cyber attack occurs and investigate a breach to the source.