Ransomware in Healthcare: Stats and Recommendations

In 2022, healthcare organizations across the world collectively suffered an average of 1.463 cyberattacks per week (up 74% from 2021). Of all these incidents, ransomware is by far the most devastating, both in terms of finances and patient safety.

This article goes through everything you need to know about ransomware attacks targeting healthcare providers. We analyze the most recent statistics, explain exactly why so many criminals go after hospitals, and present the best ways for healthcare organizations to protect themselves against ransomware attacks.

Healthcare Ransomware Statistics

The statistics below highlight the seriousness of the ransomware threat in the healthcare industry:

• In 2022, 24 US-based healthcare organizations were the target of successful ransomware attacks. These incidents affected a total of 289 hospitals.
• Organizations in the healthcare sector paid the ransom in about 61% of ransomware incidents in 2022, the highest rate of any industry.
• While healthcare tops the list for the willingness to meet hackers' demands, the industry is at the bottom in terms of ransom amounts. Hospitals paid an average ransom of around $197,000 in 2022, the lowest of any sector.
• Healthcare providers were the most targeted industry for ransomware attacks during the third quarter of 2022. One in 42 organizations was the target of an attack at that time.
• Around 66% of hospitals in the US were the target of a ransomware attack at some point in 2022 (an increase of almost 50% from 2021).
• In 2022, the average post-ransomware recovery time for a healthcare provider was one week. The average remediation cost (the price of fully restoring services and systems to a pre-incident state) was $1.85 million.
• While the average remediation price is $1.85 million, high-profile ransomware attacks cost significantly more. For example, Dallas-based Tenet Healthcare reported a loss of about $100 million due to ransomware in April 2022. Similarly, San Diego-based Scripps Health state that attacks in May and June 2022 cost the organization $113 million.
• Almost 22% of healthcare organizations believe that ransomware caused an increase in patient mortality rates in 2022.
• Over 36% of facilities report an increase in serious medical complications due to disruptions of ransomware attacks.
• Three in four ransomware attacks on hospitals result in operational disruptions (disabled electronic health records, canceled surgeries, extended hospital stays, delays in procedures. ambulance diversion, etc.).

Why Are Hospitals a Target for Ransomware?

Here's why hospitals are among the most common targets for ransomware attacks:

• Valuable data: Healthcare organizations store a large amount of sensitive data (medical records, financial info, PII, etc.). This data is a goldmine for identity theft, which makes hospital databases a lucrative target for criminals.
• Criticality of data: Losing access to data often has serious consequences for patient care. Hospitals are far more likely to pay the ransom since the compromised data is critical to treating patients (i.e., records that determine somebody's allergies or blood type).
• Vulnerable to disruption: Healthcare providers are easier to disrupt than organizations in other industries. For example, a single attack on CommonSpirit Health in October 2022 forced more than 140 hospitals across the country to shut down all digital health records. Some hospitals did not fully recover their systems even a month after the attack.
• Lackluster cybersecurity: Over 40% of US-based hospitals spend less than 6% of their IT budget on cybersecurity. Additionally, most security teams are understaffed and many facilities rely on outdated legacy software that's an easy target for experienced hackers.
• The sheer number of devices: A single hospital has tens of thousands of Internet of Medical Things (IoMT) devices a hacker could use to breach the network. This attack surface is highly challenging to defend. Also, when an attack occurs, it's typically difficult to identify the source of infection and stop malware from moving to other systems.
• Proneness to human error: Hospitals rely on a large number of employees that typically work long hours, operate in high-pressure settings, and communicate with various people. Such circumstances make doctors and nurses vulnerable to social engineering attacks such as phishing or CEO fraud.

How to Prevent Ransomware Attacks in Healthcare

While you can't prevent criminals from attempting attacks, organizations can improve their ransomware resilience in numerous ways. Let's see the most effective methods healthcare providers use to lower the likelihood of successful ransomware attacks.

Build Employee Awareness

Hospital staff is the first and the most vulnerable line of defense against ransomware attacks. Provide regular and mandatory security awareness training to all employees to ensure everyone understands their role in preventing ransomware. All team members must know how to:

• Identify signs of phishing attacks in emails, social media messages, and phone calls.
• Safely download and install applications.
• Recognize malicious attachments and links.
• Create unique and strong passwords.
• Keep their credentials safe.
• Report suspected incidents to security personnel.
• Safely use Bring-Your-Own-Device (BYOD) hardware.
• Keep all apps and operating systems up to date with the latest patches and security updates.

Hospital staff members have different roles and responsibilities, so employees have different levels of exposure to threats. Account for those differences during threat modeling and tailor the training program to specific positions.

Boost Overall Cybersecurity

High levels of cybersecurity help a hospital detect and contain threats before they escalate. Most ransomware attacks take days or even weeks to execute after the initial infection, so your team has ample opportunities to detect suspicious activity before malicious software reaches data.

A healthcare provider should focus on improving:

• Endpoint security: Protecting the devices hospital staff use to do their jobs (laptops, smartphones, PCs, IoT medical devices, etc.) is a must since most ransomware attacks start on this attack vector. Endpoint security also helps detect suspicious user behavior, such as in the case of insider threats.
• Strict access controls: Secure the way hospital staff accesses sensitive data. Enforce the use of hard-to-guess passwords, set up multi-factor authentication, and rely on zero trust security (granting staff members access to the minimum necessary data required to perform their duties).
• Network security: The goal of a ransomware hacker is to breach a network and then move laterally between IT systems to reach valuable data. Make this process as difficult as possible by boosting network security with firewalls, anti-malware and anti-virus programs, real-time monitoring, and intrusion detection systems (IDSes).
• Data encryption: Use encryption at rest for all sensitive data. Such a precaution does not stop a hacker from stealing and scrambling files, but you prevent data breaches even if criminals reach something of value.
• Secure email communications: Email security is vital to preventing phishing and other similar social engineering attacks. Set your email server to recognize messages containing files with suspicious extensions (such as .vbs and .scr) and automatically flag addresses of possible spammers.

Segment Your Networks

Segment networks into multiple subnetworks to prevent lateral movement and build a "wall" around critical systems and files. That way, even if ransomware strikes, you minimize the so-called blast radius and contain the threat within a particular network segment.

Each subnetwork should have separate security controls, access policies, and firewalls. These precautions make it difficult for hackers and malicious software to break into each segment, giving the security staff more time and opportunities to recognize and isolate the threat.

Perform Regular Data Backups

Up-to-date data backups do not prevent ransomware attacks, but they ensure the hospital:

• Always has a way to restore compromised data.
• Does not have to pay a ransom to get its data back.
• Quickly restarts patient care in case of an attack.

Ensure the hospital regularly backs up all valuable data. Back up files multiple times a day and use at least two backups (keep one instance offline). Ensure the team also tests backups regularly to ensure there's no accidental data corruption.

As an extra precaution, consider using immutable backups. This type of backup prevents any form of editing (including encryption), so hackers cannot scramble files even if they reach the backup storage.

Have a Go-To Incident Response Plan

You require a comprehensive incident response plan in case a hacker manages to break through your cyber defenses. Here's a rough outline of a step-by-step anti-ransomware plan:

• Isolate the infected systems and devices from the rest of the network.
• Determine what type of ransomware infected the system (if possible).
• Report the attack to the authorities and see whether they possess a decryption key.
• Identify which data the attacker managed to encrypt.
• Search for signs of data exfiltration (unauthorized copying, transfer, or retrieval of unencrypted data).
• Restore data from the most recent backup available, transfer files to an unaffected subnetwork, and restart patient care.
• Uninstall everything on infected devices and reinstall their operating systems. Remember to keep devices offline as you clean their memory.
• Perform in-depth IT forensics and search for signs of back doors.
• Make improvements to your security strategy to ensure the same attack does not happen again.

The more in-depth your disaster recovery plan goes, the better you'll handle the actual attack. Just remember that the response team requires clear go-to steps to respond to a threat quickly, so also prepare a shorter version of the plan staff members will use in times of crisis.

Once you have a plan in place, it's time to test it for flaws. Occasionally run penetration tests to simulate real-life attempts to inject ransomware and see how your team responds to realistic attack simulations.

Perform Regular Vulnerability Assessments

Vulnerability assessments check your systems, devices, and staff for exploitable weaknesses. These types of tests inspect the hospital for flaws that could lead to ransomware attacks, including:

• System misconfigurations.
• Problems in staff behavior (using the same password on different devices, unlocked PCs, interacting with patients via personal email, using shadow IT devices, etc.).
• Issues with account privileges and authentication mechanisms.
• Unpatched firewalls, apps, and operating systems.
• Database errors (such as those that allow SQL injections, another popular method of spreading ransomware).
• Technical debt, outdated permissions, and other liabilities in IT systems.

Regular scans for vulnerabilities help ensure every staff member is on their toes in terms of security and that the IT (both hardware and software) is as ready for ransomware attacks as possible.

Ransomware Attacks on Healthcare Providers Aren’t Going Anywhere

If you work at a healthcare organization, it's only a matter of time before you'll have to deal with a ransomware attack. Whether the attempt ends up being successful is primarily up to your readiness level, so counter the threat of ransomware with a mix of employee training and a robust cybersecurity strategy.