Cybercrime is an ever-growing challenge for businesses everywhere, and the healthcare industry has more at stake than others. With sensitive patient data and critical medical equipment on the line, a single data breach can halt an entire hospital’s operations and have dire consequences.
Here’s what healthcare facilities should know about ransomware, how they should protect themselves, and ways to minimize damage.
The State of Ransomware Attacks in Healthcare
The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory with the Federal Bureau of Investigation (FBI) and the Department of Health and Human Services (HHS) in 2020. It warned U.S. healthcare facilities of an “increased and imminent” threat of cybercrime. Unfortunately, 2020 was just the beginning of a two-year trend.
When researchers compared cybersecurity data from 2020 and 2022, they found that the healthcare industry has had a 69% increase in cyberattacks — the largest increase in volume compared to the cross-sector average. Attacks targeting healthcare have also seen the largest increase in complexity at 67%.
Why Hospitals Are Common Targets of Ransomware
Hospitals are common targets for ransomware in particular because they deal with extensive amounts of valuable data, including electronic health records (EHR) containing protected health information (PHI) and personal identifying information (PII).
The more valuable the data is, the bigger the target for high ransomware demands — and what’s more high value than hospitals offering life-and-death services? Hackers can get anywhere from $1 to $1,000 or more selling PII and PHI.
Other causes of ransomware attacks targeting hospitals include:
- Distributed workforce: Distributed teams, including remote administrators and telehealth providers, often operate through their equipment and networks, leaving large gaps in data security. This was especially common during the COVID-19 pandemic. Many lacked the equipment, processes, or training to work safely.
- High dataflow: Some hospitals have higher dataflows than others, which creates a larger surface area for attacks. Examples include teaching hospitals that facilitate research and healthcare and some specialists.
- Lack of adequate security: Hospitals often lack the physical and digital security they need to protect their network from infiltration. Even when taking certain precautions for HIPAA compliance, the focus tends to center on privacy more than security. Physical security in hospitals is also a concern — the less control a facility has over its equipment, the more at-risk it is.
- Outdated systems and devices: Hospitals with outdated equipment and medical devices might not have access to the latest operating systems and security patches, making them much easier to breach or exploit.
- Budgetary constraints: Hospitals in low-income areas or smaller facilities with limited resources can’t always allocate enough of their budget to IT and cybersecurity. Coupled with pandemic-related layoffs, some hospitals might operate without an adequate IT department.
How Ransomware Works and What’s at Risk
Ransomware is malware that infiltrates and encrypts networks, devices, and files. It mostly creeps in undetected through email phishing schemes or infected websites.
Most hospitals don’t realize they’ve been attacked until they lose file access and find a ransom note demanding payment. Ransom demands range from several hundred to several million dollars.
Some cybercriminals move faster than others and have the resources to thwart an entire hospital’s operations — including distributed teams and anyone sharing a network or server with the facility — in minutes or hours.
Ransomware disruptions have long-lasting effects, even after the threat is removed. Some downtime can cost more than the ransom demand, and some facilities might face additional costs from compliance and HIPAA-related fees.
A ransomware attack at the University of Vermont (UVM) Medical Center left the hospital without access to EHR, payroll, patient appointment information, and even necessary surgical equipment. It didn’t pay the ransom, but it still lost about $50 million in downtime and lost revenue.
Data loss and unauthorized access have enormous financial consequences. Stalled systems also leave some facilities unable to use lifesaving equipment, access patient information, make accurate diagnoses, accept emergency room admittance, and much more.
This disruption of care can have devastating effects. Some hospitals have been forced to disrupt critical care, including chemotherapy. When the Cancer Center of Hawaii suffered a ransomware attack, it had to suspend radiation services for patients for several days.
In a survey, 36% of hospitals reported an increase in procedure complications after experiencing a ransomware attack, and 22% of respondents saw an increase in their overall patient mortality rate.
One university in Düsseldorf, Germany, linked its ransomware attack with one patient death.
How Hospitals Respond to Ransomware
Decryption tools and professional intervention can help remedy a ransomware situation. Healthcare organizations with an unsecured PHI breach have 60 days to notify all affected individuals and other relevant parties as part of the HIPAA Breach Notification Rule.
Other steps to take include:
- Initiate threat escalation and incident response plans by alerting the correct manager or department.
- Isolate the infected system by closing any connected ports, servers, computers, and equipment. Disconnect from the internet network and remove all connected external devices, including storage.
- IT professionals should perform a quick initial assessment to determine the cause and mitigate further spread.
Organizations should also report the incident to federal authorities, who recommend never paying a ransom demand. One survey of the global Healthcare and Public Health (HPH) sector found the average ransom payment was $131,000, and only 69% of those that paid got encrypted data back.
Protecting a Healthcare Facility From Ransomware Attacks
Administrators should take steps to fix their security system’s vulnerabilities once the ransomware threat has been contained and remediated, whether supplementing employee training, updating firewalls, investing in a better threat detection system, or updating antivirus software.
Officials might also consider pairing with a public relations specialist to determine the best way to publicize their organization’s data breach to reduce fallout and maintain their patients’ trust.
Because the healthcare system relies on the ability to move and access data between departments and providers, there are little hospitals can do beyond preparing for the worst-case scenario.
Administrators should prepare their healthcare facility with these steps:
- Have a data backup plan: Back up all files and data to minimize data loss and downtime. Test and update regularly.
- Practice good password hygiene: Regularly change all individual, department, and facility-wide passwords.
- Update the incident response plan: Create a comprehensive incident recovery plan, including all relevant stakeholders and remediators, and update it annually.
- Secure remote workers: Bolster security for remote access by requiring multifactor authentication and restricting personally owned devices on the network.
- Invest in comprehensive security: Implement all network, cloud, and physical security needed to protect PHI and PII, including anti-malware software and regular security scans. Work with an IT professional to determine if full visibility or security segmentation might work best for a facility’s needs.
- Monitor device connectivity: Monitor the local network for unauthorized users or devices and promptly remove and investigate them.
- Audit third-party partners: Audit all third-party partners, like vendors, suppliers, and consultants, to ensure they follow PHI and PII protection plans.
- Restrict user access: Restrict which users can access high-value data by limiting and removing access to specific services or files. Use a privilege-based hierarchy to reduce the chance of future infiltration.
Stay Vigilant to Protect Hospitals From Ransomware Attacks
Ransomware is a dangerous threat for any industry, but healthcare facilities — particularly hospitals — could experience disastrous financial fallout and be forced to pause critical patient services, including lifesaving treatments.
The healthcare facility will always face some level of cybersecurity threats. Still, administrators can take steps to better protect their hospitals from ransomware and associated risks, including downtime and patient safety.
Officials should take the necessary steps to protect their healthcare facility and patients’ data by investing in comprehensive security, implementing regular security audits, having a threat detection and remediation plan, and keeping employees up-to-date on safe cyber practices.