No relief in sight for ransomware attacks on hospitals

Despite an apparent decline in activity against hospitals during 2022, ransomware attacks have continued to endanger medical care and patient health this year and show no signs of abating.

Ransomware gangs typically have not restrained their avarice for healthcare organizations. Despite the pledges of some gangs in 2020 to refrain from attacking medical facilities during the Covid-19 pandemic, ransomware attacks continued to plague the industry across the globe. While U.S. law enforcement agencies have focused more attention on threat groups that target critical infrastructure, that scrutiny — and potential for causing patient deaths — has not deterred some ransomware gangs from attacking hospitals.

Cybersecurity vendor Emsisoft recorded 25 ransomware attacks on healthcare organizations, including “hospitals and multi-hospital health systems” in 2022, affecting as many as 290 hospitals across the country. That number is a significant decline from 2021, when Emsisoft observed 68 attacks on healthcare providers.

But U.S. hospitals and medical centers are still popular targets for threat actors. According to Check Point Research, the sector was the most targeted industry for ransomware attacks during the third quarter of 2022.

Attacking the healthcare sector, which often means impairing medical services and jeopardizing patient health, is considered unethical even by some cybercriminals. However, this is no deterrent for some ransomware gangs, especially with the potential value in attacking healthcare. In addition to encrypting IT systems, ransomware actors often target lucrative data in healthcare computer systems.

As electronic healthcare record databases grow by the second, threat actors see the sector as a vast landscape for monetization. In addition, technological advances create endpoints for cyber actors to subsidize from sensitive data on the dark web or via ransom payment.

“The attack threat actors are making a huge amount of money from all cyber attacks. But the healthcare information is so valuable to them,” said Deryck Mitchelson, field CISO for EMEA at Check Point Software Technologies. “They can commoditize up very easily on the dark web.”

In Sopho’s “State of Ransomware in Healthcare 2022” report, the threat detection vendor found that 66% of the 381 healthcare organizations involved in the study were victim to ransomware attacks that year — an increase of about 50% from 2021. Healthcare computer systems are complicated environments to secure. To maintain swift medical procedures, the necessary safeguards are sometimes neglected, leaving data vulnerable for attackers.

“If you can’t issue their medicine in a timely manner in an emergency room or you can’t access a record to determine what somebody’s allergies might be like, these things are literally life and death choices,” said Chester Wisniewski, field CTO of applied research at Sophos. “Often, systems get left a lot more open for the convenience of providing care.”

Moreover, infosec experts have long argued that the environment under which medical professionals work leads them to quickly open emails, making them susceptible to phishing attacks.

“They do tend to respond quickly, click on things quickly,” said Mitchelson. “They’re often walking in between doing things, so they’re doing things on the move. That’s why phishing emails are something that you see that’s one of the highest vectors.”

The burden on hospitals
Ransomware attacks come with heavy expenses, as victims frequently experience company downtime where IT and/or power restoration may be required. It can be especially painful for healthcare organizations. Sophos’ study showed recovery on average lasted one week and cost healthcare providers an average of $1.85 million in 2022.

Ransom payments are an additional expense for companies. Sophos’ study found the healthcare sector paid a ransom in about 61% of incidents, up from 34% in 2020 and the highest rate of any vertical industry in its 2022 study.

Mitchelson said the payment rate is typically high because U.S. healthcare organizations primarily operate within the private sector, and executive teams can make their own decision to pay a demanded ransom. But in Europe, he said, many healthcare organizations are publicly funded and government operated and, therefore, are much less likely to pay. The situation is like the education sector in the U.S. For example, K-12 schools rarely pay a ransom because they function under the supervision of local governments and require approval to use taxpayer money for such expenditures. TechTarget