Ransomware has affected healthcare for decades, but organizations have become increasingly vulnerable as attackers have become brazen and more sophisticated.
There’s a financial and reputational impact: One health system had to settle with 126,000 patients for up to $3,000 each following a 2020 incident. And there’s an operational impact: Two hospitals in Connecticut had to divert ambulances and close multiple outpatient facilities while computers were down earlier in 2023.
Remediation can be costly. Not only do healthcare organizations need to get core business applications up and running again, they also need to recover lost revenue. An NCC Group analysis pegs the potential overall loss from a single ransomware attack at 30 percent of annual operating income. For one hospital — St. Margaret’s Health in Illinois — the financial impact of a 2021 ransomware attack was enough to force the institution to close for good.
“The cost is only going up,” says Jon Nelson, a principal advisory director in the security and privacy practice at Info-Tech Research Group. “The ransom cost is increasing, and cleanup isn’t as simple as getting a decryption key. Once systems are back online, corruption and integrity issues remain.”
The most effective prevention and mitigation strategies against ransomware require a top-down approach that includes executive buy-in, end-user awareness and strong partnerships with technology vendors. It’s a tall order, but it can be the difference between a severe attack and a minor one.
Click the banner to get the expertise you need to strengthen your ransomware protection capability.
From Floppy Disks to Crypto: The Rise of Ransomware in Healthcare
The world’s first documented ransomware attack had direct ties to healthcare, Nelson notes. In 1989, Joseph Popp, an evolutionary biologist, installed a Trojan horse on 5.25 -inch floppy disks and distributed them to AIDS researchers. When users booted their computer, the virus encrypted directories and files. To get them back, users had to wire $189 to a P.O. box based in Panama.
As ransomware evolved over the next three decades, attackers attempted to extort users first by getting them to install fake anti-virus software, then by locking users out of their computers and finally by encrypting files.
Modern ransomware attacks emerged following the introduction of chip and PIN credit cards, Nelson notes. The security improvements associated with personal identification numbers and cryptographic algorithms hurt cybercriminals, as cloned cards were largely useless without a PIN.
“Criminals needed new ways to target people and make money,” he says. “That’s where cryptocurrency came into its own. It gave criminals a means for anonymous and real-time payments.”
Today’s ransomware typically uses malicious software to gain access to networks, look for valuable data, gain administrative privileges, encrypt the valuable data and demand ransom, according to Trend Micro. Attackers may also threaten to disclose data, initiate a distributed denial of service attack, or harass a victim’s patients via email or social media.
Most attacks today are carried out by cartels working in nations where governments are willing to look the other way, Nelson says. The attackers are also not afraid to disrupt day-to-day life. As the American Hospital Association notes, this is a stark contrast to the early days of ransomware, when hackers tended to be hobbyists seeking to do financial but not physical harm. (In fact, Popp claimed the ransom he collected would be used to fund AIDS research.)
What a Hospital Ransomware Attack Looks Like
There are several steps in a successful ransomware attack.
- First, attackers need to get in. Nelson estimates that half of ransomware attacks stem from a successful phishing attempt; the remainder are associated with vulnerabilities ranging from unpatched devices to stolen Remote Desktop Protocol credentials.
- Next, they need to spread through an organization’s network. According to CrowdStrike, this happens through lateral movement (which mimics the behavior of an end user interacting with systems across the network) and vertical movement (which gains access to accounts with higher privileges).
- From there, criminals steal the data they want, encrypt it, demand ransom and escalate their harassment if the victim doesn’t pay. Increasingly, Nelson says, criminals are targeting data backups as well, because healthcare organizations can’t resume day-to-day operations without access to their backups.
Once inside an organization, the “dwell time” between when an attack begins and when it’s detected is roughly five days. A Sophos report found that’s shorter than it used to be; just a year ago, median dwell time was as long as 10 days. With attackers able to encrypt 70 gigabytes of data per hour, though, “there’s a lot of damage they can do in a short time,” Nelson said.
4 Reasons Healthcare Is a Target for Ransomware
Healthcare is especially vulnerable to ransomware because the inability to access critical applications such as electronic health record systems leads to poor patient outcomes. A Ponemon Institute and Censinet survey found that 70 percent of organizations hit with attacks see a longer length of stay and longer wait times for routine procedures, nearly two-thirds need to divert patients to other facilities, and more than 20 percent experience an increase in patient mortality rates.
It’s no surprise, then, that healthcare is experiencing a surge in ransomware attacks. Barracuda Networks reports that successful attacks more than doubled from 2022 to 2023 and more than quadrupled since 2021. All told, Sophos reported that 60 percent of healthcare organizations have been hit with an attack in the past year, and 84 percent of those organizations experienced a loss of revenue as a result.
Four things make healthcare especially attractive to attackers, Nelson says.
- There’s a treasure trove of data: Personally identifiable information is enough for a criminal to open a fake line of credit, protected health information enables fraudulent billing, and financial information makes credit card theft easy.
- Resources are limited: According to the 2022 Cybersecurity Survey from the Health Information and Management Systems Society, more than 60 percent of healthcare organizations don’t have enough staff to achieve robust cybersecurity, and just over 50 percent lack the budget. This is a stark contrast to industries such as finance and manufacturing, where a “blank check” from the board of directors to combat cybersecurity threats isn’t uncommon, Nelson says.
- It’s a big target — but not too big: Criminals tend to target victims that provide critical services and are willing to pay a ransom to restore services, but they don’t want to attract the attention of the U.S. government, Nelson says. (The 2021 Colonial Pipeline attack, which made international headlines, is a case in point.) Healthcare fits bill here: A hospital will do what it takes to maintain patient care, but an attack on a single hospital isn’t serious enough for federal investigators to immediately intervene.
- Patients give attackers leverage: If attackers get access to patients’ email addresses, and an organization refuses to pay the ransom, attackers can use patients to apply pressure. “What happens if they send a mass email and say, ‘We have your data, and your hospital doesn’t care?’” Nelson asks.
6 Steps Healthcare Organizations Can Take Against Ransomware
- Mitigating the impact of ransomware requires an all-hands-on-deck approach. End users across the organization need to be trained on what to look out for, whether it’s phishing attempts in emails or security patches that need to be installed.
- Stronger security measures at the point of access can also help. The 2022 HIMSS Cybersecurity Report notes that there has been “significant progress” among healthcare stakeholders in adopting multifactor authentication to access business resources; in 2016, only 39 percent were using MFA. However, less than 10 percent of those who have implemented the security technology use passwordless MFA, which the Cybersecurity and Infrastructure Security Agency recommends as the “gold standard” due to its resistance against brute-force password attacks as well as phishing attempts.
- More broadly, healthcare organizations benefit from adopting a zero-trust approach to security that requires continuous authentication and authorization to grant access. This comes with a twofold advantage: It establishes a culture of security based on technologies such as MFA and single sign-on, and it provides greater visibility into which roles require access to which systems. This helps model patterns of typical usage and better identifies cases of abnormal activity.
- A strong relationship with security partners is crucial. Vendors providing managed detection and response services, for example, will detect, analyze, investigate and respond to threats. This is an asset amid cybersecurity staffing shortages across all industries, and it can help healthcare organizations focus more of their recruitment efforts on patient-facing personnel.
- It’s not just security vendors, though, Nelson says. Health systems should work with networking partners to ensure proper segmentation, as this helps restrict lateral movement from one network segment to another. Additionally, storage partners should be providing immutable backups, which can’t be encrypted or otherwise altered by attackers. “It comes down to doing your due diligence and asking the right questions of your partners,” he says.
- Finally, when a ransomware attack occurs, cyber insurance is useful if a health system finds itself needing to negotiate with an attacker, Nelson says. The initial demand for ransom can be as much as 20 percent of an organization’s annual revenue, but an insurer well versed in negotiation can drive that number down.
Getty Images: filo (bubble graphics, icons), bounward (icons); Streamline (icons)