Ransomware, known as the Bashe attack,
could cost the U.S. economy $89
billion, says report

International ransomware could deal $89 billion blow to US economy, says report

February 05, 2019
by John R. Fischer, Senior Reporter
An international ransomware attack could inflict an $89 billion blow to the U.S. economy, according to a new report by the Cyber Risk Management (cyRiM) project, an initiative for assessing cyber security risks, of which specialist insurance and reinsurance market, Lloyd’s is a founder.

Entitled Bashe attack: Global infection by contagious malware, the report asserts that the cost to the U.S. would be nearly half that of the $193 billion global price tag of an attack and lists global healthcare as one of the business sectors that would accrue the most damage.

“Overall, healthcare facilities have likely become susceptible to ransomware and other cybersecurity threats due to the lack of historical focus on cybersecurity as a key priority,” Juuso Leinonen, senior project engineer at ECRI Institute, told HCB News. The rapid trend in connecting medical devices and overall increase in connected data systems integral to patient care have likely exacerbated the problem. Healthcare facilities also house a plethora of protected health information, making them potential targets, as this data can be particularly attractive to malicious actors due to it being non-disposable and its high black market value.”

Ransomware and other cybersecurity attacks topped ECRI Institute’s Health Technology Hazard List in 2018, which pointed to cybersecurity as a key organizational priority and a proven patient safety concern. Lloyd’s City Risk Index also listed a cyberattack as the second greatest threat to the U.S. economy due mainly to greater dependence on technology by the U.S. and other countries, a trend which continuously raises the impact of such attacks.

The Bashe attack takes the form of an infected email that sweeps across the globe encrypting data on every device connected to a network. It has so far damaged 600,000 companies worldwide, ranging from premier institutions to small businesses, with U.S. losses due to a combination of reduced productivity and consumption, IT clean-up costs, ransom payments and supply chain disruption.

The onset of an attack would bring financial ruin to a wide range of businesses in the U.S., with healthcare and retail each suffering a $25 billion loss and the financial industry also taking a heavy hit.

Though it acknowledges an increase in public awareness of threats and a growing response by America’s global insurance industry, the report rates companies as “unprepared” for such an event, with 86 percent of total economic costs uninsured.

ECRI, however, says greater efforts by manufacturers are underway to ensure devices are secure and protected from cyber threats such as ransomware.

“When ECRI Institute interacts with our customers, most, if not all, are planning for various different activities to address security threats and ensure sufficient preparedness in case a security incident does occur,” said Leinonen. “The same can be said for many medical device manufacturers who are actively boosting their security efforts to meet the demand for more secure connected medical devices.”

The main challenges, he says, that hinder efficient cyber protection are healthcare facilities trying to balance numerous priorities at once and a lack of security professionals.

While he and ECRI suggest a number of tips, including facilitating sufficient funding for cybersecurity initiatives, establishing a comprehensive incident response plan, and conducting personnel training to increase security awareness, the task of combating cybersecurity threats lies with all parties.

“Cybersecurity in a healthcare facility should be thought of as a responsibility for all and not solely an IT issue,” he said. “Furthermore, with the increased reliance on device connectivity and centralized data systems to deliver patient care, cybersecurity threats like ransomware have become a patient safety issue.”

Lloyd’s did not respond for comment.