In the first of two blogs covering the impact, protection and response for Healthcare organizations in the face of ransomware attacks we start by taking a take a look at some of the key stories you may have seen featured in the industry.
On February 5, 2021, a French mutual insurance company was hit by a ransomware attack launched by the group RansomExx, disrupting the company’s operations.
On May 14, 2021, Ireland’s health service IT system suffered a “significant ransomware attack” and was shut down to prevent further damage.
By May 25, 2021, 48 ransomware incidents, which targeted the US healthcare alone, were tracked and recorded. Last year, ransomware attacks cost hospitals and other healthcare orgs about $21 billion.
For starters, nothing in here is to analyze which countries are targeted the most, or which ransomware is the latest; nor is it to lay blame on the attacked companies. The primary point is this: any healthcare company in the world is a potential target, especially during this previous year. A primary tactic of malicious actors is taking full advantage of any crisis (health, political, financial, etc.) to target what the criminals, in their business-oriented mindset, consider “stakeholders” (in a wry sense of humor, even criminals act upon principles).
Before getting into other details, we’ll start with, “Why protect against ransomware?” Protection and defense in the technical realm can seem to be an intellectual exercise which is only performed to satisfy the checklist of an authoritative pedant. This may be true to some extent, simply because there are state and federal regulations that must be met. But security practitioners know that meeting regulatory requirements – though they are useful – don’t inherently equate with protection and defense.
Business and customer data needs to be protected because, in today’s e-commerce economy, data = identity = wealth. That ePHI held on servers is perhaps all that a patient has for providing proof of their medical circumstances for various legal, medical, insurance, and other vital situations. Additionally, ePHI also contains that person’s SSN, driver’s license, and numerous other photocopies of their personal and private. And those bits of information are the doorway to their financial accounts.
Companies hold the keys to the kingdom of so many people. Businesses don’t want to have their intellectual property stolen; neither do individuals want their identity and personal effects stolen. Patients have entrusted healthcare companies with their keys to their private kingdoms, and those companies need to honor that trust.
Ransomware’s effects, attack vector, and publicity in healthcare
What could ransomware do?
What troubles would it cause? At best, it will deliver the data of a great many individuals (about 18 million in 2020). At worst, the encryption would lead to the stoppage of life-giving services (e.g., power, electronic dosage). This wide range of severity makes defending against ransomware is a vital factor in patient care.
What makes healthcare an industry worth attacking by ransomware groups?
One factor could be because healthcare is such an enormous and widespread industry, and they have good reason to pay the ransom. Because of the need for quick turnaround of patient care, the need to get back to business as quickly as possible is an urgent one.
Healthcare IT teams, especially at smaller healthcare organizations, are much more likely to be understaffed and underfunded (and the bad guys know this). Why? Perhaps because breaches are indirectly related to patient care (IT –> device –> patient), whereas medical assets provide direct service to patients (device–>patient); therefore, the company places its resources where it would do the most immediate good.
According to one study, the average ransomware payment for healthcare is $131,000 (https://www.sophos.com/en-us/medialibrary/pdfs/whitepaper/sophos-state-of-ransomware-in-healthcare-2021-wp.pdf). This, of course, is quite a bit less than hiring a CISO/Director, an IT Manager, and a couple administrators, in addition to technology for backups and restores (regardless of on-prem or hosted). So, the initial incentive to pay the ransom, which is much less costly than hiring people to protect it, is tempting.
However, these factors don’t take into account the total cost. We can’t forget other factors such as downtime, lost revenue, and lost resource time (e.g., people, devices). The total average for healthcare organizations is a little over $1 million. This total loss of resources, in addition to reputation loss, is much more than the cost of protecting the assets.
Why Does healthcare make the news (or not)?
Because healthcare is required by regulations to give public notice of breaches (e.g., HITRUST requirement to publicize breaches of ePHI). Since many non-healthcare companies aren’t required to publicize breaches, they are able to keep things quiet. This makes for a seemingly larger number of healthcare-related breaches.
On the flip side, because only breaches that affect 500 or more people are published, they aren’t all publicly disclosed, even though the < 500-person breaches still need to be reported. So, there are many breaches with smaller impacts that don’t make the news.
Protection & Response
In our next installment, we will consider some of the key actions we can take to protect ourselves from the damage or fall out of a ransomware attack.
Read part 2 here: Ransomware In Healthcare – Resources for Protection and Response (Part 2 of 2)
Here are some resources for further reading:
FBI warns of Conti ransomware attacks targeting U.S. healthcare networks
The State of Ransomware 2021
More than 1/3 of health organizations hit by ransomware last year
Why Healthcare Keeps Falling Prey to Ransomware and Other Cyberattacks
Breach Notification Rule