Ransomware: Why it Accounts for Half of Healthcare Breaches

managed security service provider

managed security service provider

The use of ransomware attacks has grown exponentially since the onset of the COVID-19 pandemic. It is now the most common security breach method, and one occurs nearly every 10 seconds in the US. Healthcare organizations are especially vulnerable to ransomware attacks.

While 2020 experienced 2,354 data breaches across the government, healthcare, and education sectors in the United States, 560 of those had targeted healthcare facilities alone.

Ransomware attacks are now responsible for 46% of all healthcare data breaches, although only 35% of all breaches are linked to ransomware. There are several reasons why hospitals and healthcare facilities make attractive targets for ransomware.

  • They have strict policies governing patient privacy and treatment of data (HIPAA laws).
  • They collect an abundance of sensitive financial, personal, and health-related data on the patients.
  • They can have weaker security infrastructure due to heavy internal and external use of platforms, such as patient portals.
  • Employees represent a weakness by intentionally or inadvertently exposing weaknesses.
  • They can encrypt the network and steal sensitive information.

But the biggest reason healthcare organizations are targets for ransomware attacks is that they frequently have to pay the ransom since the alternative is far worse. Hospitals and clinical facilities are in a weak position after their network has been infiltrated. Hackers can encrypt and hijack their network, which cripples their ability to deliver critical patient services and treatment.

Further, they then have sensitive patient information, which can be disturbing if leaked. And a leak can result in a lawsuit against the facility. And finally, they pay the ransom because it generally leads to a better outcome than the alternative. Nearly all (99%) of organizations that paid the ransom received a functioning decryption tool.

Healthcare facilities need to quickly restore their network functionality and protect patient data in any way they can, which often means paying the ransom. But the effects of ransomware attacks can still be devastating. Consider the following statistics:

  • There are over 4,000 ransomware attacks daily.
  • On average, organizations will pay a ransom of approximately $230,000 (in healthcare, this figure can be substantially higher).
  • Total remediation of a ransomware attack costs, on average, $761,106.
  • Companies often suffer a nearly 19-day down period after a ransomware attack.
  • New families of ransomware attacks are continually being discovered.
  • The global cost related to data recovery from ransomware attacks is expected to exceed $20 billion this year alone.

Several case study examples of the crippling effects of ransomware examples that have occurred recently include:

  • In October 2020, Sonoma Valley Hospital in California took all systems offline to respond to a ransomware attack, disrupting some non-emergency patient services. The data for approximately 67,000 patients may have been compromised.
  • The University of Missouri Health Care reported two data breaches related to ransomware in only a year. The first occurred in the spring of 2019 and compromised the data of 14,000 patients. Sensitive data, including Social Security numbers, health insurance details, and clinical information, was compromised. In May 2020, a second attack occurred, impacting 189,736 patients.

These are two of the largest and most recent events, but the list goes on-and-on. And the COVID-19 pandemic only added fuel to the fire. The pandemic disrupted normal operations on a broad scale, ensuring that healthcare facilities were already confused and disorganized. Further, many clinical facilities struggle to find additional funds to devote to enhancing cybersecurity efforts.

The ransomware problem in healthcare is so pervasive that in late 2020, a joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS). The advisory’s goal is to describe ransomware attacks and increase the knowledge of many medical facilities related to protecting their information.

The advisory warned against two particular ransomware threats, TrickBot and BazerLoader, which are used to target healthcare facilities. TrickBot began as a banking trojan but has evolved to include credential harvesting, mail exfiltration, crypto mining, point-of-sale data exfiltration, and ransomware deployments, such as Ryuk and Conti. BazerLoader increasingly uses ransomware deployment, including Ryuk.

Typically, ransomware infects targeted machines through three mechanisms:

  • A phishing email that contains a malicious attachment.
  • A link that takes the user to malicious content.
  • By viewing an advertisement containing malware (malvertising).

Once a user clicks on the malicious file or link, the software encrypts files and demands payment for a key to decrypt the data. Attackers may also attempt to shut down any security software that may prevent ransomware from running.

Once a ransomware attack is successful, the organizations suffer damage to their ability to provide patient care, and they must try to recover IT resources under financial strain.

There are several ways to minimize the threat of a ransomware attack, such as:

  • Ban weak or compromised passwords. You can require employees to regularly change their passwords to keep networks safe. Organizations can also limit the ability to reuse passwords or select passwords from a banned list.
  • Implementing multi-factor authentication, which decreases reliance on a password. It requires the user to verify their identity through multiple avenues, which can increase your defenses.
  • Conduct regular employee cybersecurity training. Since the onset of COVID-19, ransomware attacks have increased dramatically. Providing employees with a framework to understand how these attacks work and recognize warning signs is the best way to minimize the threat.

The healthcare and data security industries are continually evolving, and protecting patient information and delivering care is paramount. But understanding how ransomware threats can evolve and change can also be challenging, especially for smaller organizations with limited resources.

Many organizations find it more cost-effective and operationally effective to outsource an experienced MSSP “Managed Secuirty Service Provider” for some or all of their network security measures. The knowledgeable staff at Sagacent Technologies can help your healthcare organization shore up any weaknesses in the network, train employees, and provide round-the-clock protection from ransomware and other types of cyberattacks.

Sagacent Technologies offers technology management and support, including proactive/preventative maintenance, onsite and offsite data back-ups, network and security audits, mobility solutions, disaster planning, and emergency business resumption services. The company serves clients of 10 to 150 employees within the Silicon Valley region.