Security

How to Minimize Risk Amid Rise in Ransomware Attacks on Healthcare Organizations

The average ransom paid by the healthcare industry is higher than the average paid across all industries. Cybersecurity improvements are key to mitigating threats to a hospital’s financial and operational status.

Nathan Eddy

Nathan Eddy works as an independent filmmaker and journalist based in Berlin, specializing in architecture, business technology and healthcare IT. He is a graduate of Northwestern University’s Medill School of Journalism.

Ransomware continues to impact the healthcare industry in the U.S., with organizations paying out more than ever before. Though the overall average ransom payment amount for 2020 was $794,620 — up from the 2019 average of $303,539 — the average ransom paid by healthcare organizations last year was $910,335. That’s more than the average across all industries, according to a report from BakerHostetler.

In 2020, the healthcare industry was the target of 20 percent of data security incidents identified by the report.

One of the most significant incidents in the sector last year was an attack on a Fortune 500 healthcare services company based in Pennsylvania, which impacted more than 400 hospitals and care facilities. The fallout from the incident wreaked havoc on ambulance routes, delayed patient treatment scheduling, rendered lab tests inaccessible and compromised electronic health records for the company’s facilities across the country. Recent attacks on the Irish national health service and a nonprofit health system based in San Diego also stand out due to their scale and impact on clinical care.

By following security best practices and avoiding common mistakes, healthcare organizations can shore up their defenses to prepare for potential cybersecurity attacks.

Healthcare Organizations Can Protect Themselves Using Security Best Practices

Healthcare organizations can stay informed about the latest threats by joining a healthcare-focused information sharing organization, such as the Health Information Sharing and Analysis Center (H-ISAC), says John Shier, senior security adviser at U.K.-based IT security company Sophos.

These organizations rely heavily on their IT systems for a variety of administrative and clinical functions, and because of that, they cannot weather prolonged downtime, Shier says.

“Healthcare organizations can protect themselves from ransomware attacks through best practices like reliable backups, prioritizing patching and developing an incident response plan for ransomware attacks,” he adds. “They should also ensure any critical care systems are segregated and disconnected from the corporate network.”

Joseph Carson, chief security scientist and advisory CISO at cloud security company ThycoticCentrify, says healthcare organizations are prime targets due to the amount of sensitive personally identifiable information they collect and store, as well as the large number of connected devices typically integrated into their respective networks.

He points to several key practices that can better prepare healthcare organizations to mitigate the risks of ransomware incidents, such as creating a culture of awareness among healthcare staff, educating them on the use of strong passwords and multifactor authentication, and incorporating a robust privileged access solution.

Avoiding Security Mistakes Minimizes Ransomware Risk

A significant percentage of healthcare organizations still regularly use outdated operating systems or fail to update firmware on connected medical devices, Carson adds. This creates another massive vulnerability, leaving the door wide open for bad actors to penetrate a health organization’s network undeterred.

Systems can minimize risk by regularly patching all connected devices whenever an update is available and making sure they have the latest version of their operating system on all devices across the framework.

“I think one of the biggest mistakes a healthcare security professional can make is to assume that other personnel and staff have the same understanding of good cyber hygiene that they do,” Carson says.

He adds that, by assuming everyone is a potential walking vulnerability, security teams can better implement proactive measures and educational programs to keep staff — especially those with privileged-access credentials — aware of various security risks that can happen at any time.

“Until education, awareness and technological implementation universally render existing ransomware strategies obsolete, we’ll continue to see things like spear phishing, targeted attacks, ransomware as a service, and social engineering as bad actors’ weapons of choice,” Carson says.

WhataWin/Getty Images