Healthcare’s Ransomware Crisis
By Chris Bowen, CISSP, CCSP, CIPP/US, CIPT Chief Information Security Officer & Founder ClearDATA
Ransomware Continues to Evolve
It’s no secret that every industry faces prolific ransomware attacks. New ransomware culprits emerge and regularly join the over 1,000 ransomware groups worldwide. The FBI tracks over one hundred of those groups. Sadly, our hospitals are attacked most, and not coincidentally, the most vulnerable target. According to CyberPeace Institute’s Cyber Incident Tracer, a whopping 39 ransomware groups went after healthcare for 18 months. That should alarm every patient and healthcare provider in America.
Our inboxes overflow with new warnings about new malware variants designed to destroy your data. In February 2022, for example, government agencies from the US, UK, and Australia issued a joint warning about increasing attacks. In October 2021, the CISA, FBI, and NSA issued a joint alert warning about BlackMatter ransomware that affected multiple industries. In October 2020, the FBI, CISA, and HHS warned of Ryuk ransomware campaign targeting 400 US hospitals.
Ransomware in Healthcare
The operational carnage challenged an already burdened healthcare system. The threat to human life due to a lack of information and the astounding recovery costs are catastrophic to healthcare organizations. But the real tragedy is the harm to patient care. In the most disruptive scenario, an attack can effectively shut down the hospital’s entire system. Imagine the surgeries to cancel, ambulances to reroute, and critical patients to transfer to another facility or provider mid-treatment. A ransomware attack completely disrupts the patients’ continuum of care.
Even more alarming, ransomware is affecting mortality rates. A recent Ponemon Institute study found that ransomware increased the mortality rate by 22%. There are several recent examples where fatalities were directly caused by ransomware attacks:
• In September 2020, a ransomware attack in Germany destroyed a hospital’s servers, so patients had to relocate to different healthcare provider facilities. The hospital transferred a very critically ill patient to a hospital twenty miles away, resulting in death.
• In July 2019, a ransomware attack disrupted a hospital in Alabama. While a patient was in labor, there was no access to crucial fetal heartbeat monitors. It severely complicated the delivery, and nine months later, the injuries led to the infant’s death.
Ransomware attacks in the healthcare industry are reaching crisis levels.
Ransomware was the cause of a majority of the healthcare breaches in 2021, affecting about eight million individuals. Organized crime, and in some cases, nation-state actors, reaped substantial payments by taking healthcare networks hostage. More ransomware attacks are guaranteed to happen with each success and ransom paid. While this may sound like a technology problem, and it is, it’s more than that. In healthcare, there are trickle-down effects for everything that happens. Whatever happens with data eventually affects a human being.
Knowledge is power when it comes to defending your hospital from ransomware. There are warning signs of ransomware attacks, and attackers leave trails. Gaining insights into detecting intruders and knowing the methods they use to gain access is necessary to stop them before they substantially harm you.
The Ransomware Economy
The Ransomware economy is reasonably simple to understand. Economics 101 helps us understand the laws of supply and demand. A hospital needs data, and ransomware gang members need money. But the healthcare provider has both. The ransomware attacker must steal the provider’s data to create an artificial and temporary market to force providers to pay money to get their data back and systems online. Preventing the creation of this ransomware market requires that the provider safeguard the data. No data theft means no system disruption, which prevents a ransom demand from ever happening. It is that simple. Unfortunately, preventing data theft and destruction takes a lot of work by a lot of skilled people. Many fail to guard the castle.
Like a “normal” business, the ransomware attacker strives to generate consistent revenues leveraging global automation and cloud services. The attacker even leverages at-scale services provided by the syndicate, such as “customer support” for attackers to scale and victims struggling to recover from the attack.
The ransomware underworld thrives on many dark truths:
• Novice criminals can easily buy and use ransomware software.
• Profit from attacks is quick and predictable.
• There is less risk in the payoff than other hacking methods with little or no direct contact with the victim.
• The ransomware model comes with a “built-in” buyer of the data meaning the criminal doesn’t have to find a buyer.
• Ransomware is rapidly scalable – it can be globally automated.
• It is less trackable using cryptocurrency.
Those who pay the ransom may think they recovered from the attack but quickly become a “known payer.” Becoming a known payer of ransoms puts a long-term target on the organization and contributes to the cybercriminal economy. For this reason, the FBI discourages the payment of a ransom.
How Healthcare Can Combat the Ransomware Crisis
Ransomware attacks occur every 11 seconds! Healthcare must change its mindset and prepare for when, not IF a cyberattack happens. Many available resources can help your organization prepare for and respond to ransomware. ClearDATA has learned a thing or two about preventing ransomware by successfully defending thousands upon thousands of cloud-based healthcare systems. For more guidance on ransomware, download our recent eBook, “Ransomware Response and Recovery Guide.”
Contact us if you’d like a deeper dive.