Protect employee data privacy to prevent a ransomware attack targeting your organization
The phone rings at 7 a.m., which is unusual. It’s the hospital, with the unsettling news that an administrator could not log onto his PC. By the time you arrive at work, other personnel are having the same issue.
You hoped that the unexplained slow-downs, application crashes, and system freezes were something IT could address and not the first whispers of a malicious payload silently spreading through the organization’s network. But now there is no doubt – you’ve been hacked. Encrypted files are adorned with ominous ransom notes, complete with payment demands and a deadline. Comply, or the data is gone; or worse, personnel and sensitive patient records will be publicly released.
The choice is to pay millions to strangers, which only perpetuates the cycle of ransomware attacks, or hope the IT department is right that it could recover 60% of your data while preparing for the class action lawsuits and other financial and reputational fallout to come.
That’s when the finger-pointing starts. How did this happen?
The Blame Game
Your cyber insurance company will grill your network admin on the security parameters in place. But the servers did their job. Further investigation reveals that this nightmare was triggered by a phishing email sent to a reliable employee who thought it was genuine. One click on one link in that email, and your systems were compromised.
This is not a new story. Last year more than 45 healthcare entities suffered ransomware attacks, causing hundreds of hospitals to experience disruption. According to the Verizon Cost of a Data Breach Report, the average cost of a healthcare data breach reached an astonishing $11 million in 2023, an increase of more than 50% in just three years. In 2022, the average ransom payment was $5,000; just one year later, it was approximately $1.5 million.
2024 is not looking any better. Hackers continue to focus on targets like healthcare organizations, knowing they are more likely to pay. With servers hardened to resist ransomware, they will look to individuals at your organization as infiltration opportunities, with hundreds, maybe thousands, to choose from.
AI Makes it Easy
An email arrives, allegedly from your friend Jack, about the camping trip you planned for next month. The email address isn’t his usual one, but he asks about your kids by name and references the place you vacationed last year, so it must be real. There is a link to download some pictures, which you click. And when you do, the damage is done. Hackers have compromised your computer, phone, or tablet with that malicious link.
Such attacks are possible because of the substantial volume of personally identifiable information easily accessible about all of us online and how AI programs can exploit that content to create phishing emails authentic enough to mislead even the most vigilant.
What Can Be Done?
At this point, it is impossible to stem the tide of AI weaponizing personal information. But it is possible to cut off its fuel supply by restricting access to the data it needs to prosper. Some AI systems are already trained to avoid targets with incomplete data sets in favor of those with a more comprehensive profile.
For an organization with 100 or more employees, it might seem unlikely that the personal content collected by data brokers and online sources about them—names, home addresses, cell phone numbers, relatives, affiliations—can be removed from thousands of websites where it now resides, available to anyone who asks. But it can be done, and that process starts with education.
Most healthcare organizations offer training to help employees identify the common signatures of phishing emails, texts, and calls in the workplace. But they should also be informed of ways to secure their personal data both at home and at work. Assistance is available from companies that specialize in online data removal that eliminates this content and provides daily internet scanning to make sure it doesn’t reappear. Some organizations are already providing this service. It offers an effective proactive step toward addressing the threat that ransomware poses to personnel, patient safety, and professional reputation, as well as the cost of legal and financial liabilities.
AUTHOR BIO:
Ron Zayas is an online privacy expert, speaker, author, and CEO of Ironwall by Incogni. Ironwall provides online privacy protection to both the public and private sectors. For more insight into online privacy laws, proactive strategies, and best online data practices, visit ironwall360.com. Connect with Ron at ron.z@360civic.com.