Nov 22, 2022

Chapter 4: How to mitigate ransomware in healthcare

Hospital ransomware attacks

Ransomware attacks impact one out of 31 healthcare organizations on a weekly basis, according to Check Point Research. You might not be able to stop ransomware in healthcare but you can make it harder for cybercriminals to infiltrate your network.

Read this article — part of our Internet of Medical Things (IoMT) security playbook — to dive deep into the ransomware problem facing healthcare delivery organizations (HDOs). Discover what you can do to increase cyber resilience and ensure patient safety.

Why hospitals are a top target for ransomware

Healthcare is a top target for ransomware attacks. Here are some of the key factors why ransomware attacks keep happening:

  • The healthcare device landscape is growing in complexity with increased attack surface due to the proliferation of IT, operational technology (OT), IoMT, and Internet of Things (IoT) assets
  • Securing medical devices has its unique challenges, such as the lack of built-in security and a higher device lifecycle. Many medical devices cannot be updated due to concerns about service interruptions or regulatory certifications.
  • HDOs hold valuable information such as patient records, as the quality of care depends on fast access to this data. There’s an entire market on the dark web for stolen electronic health records and patients’ personal and financial information. 

The gravity of potential disruption makes this critical sector more likely to pay ransoms to regain network and data access. As per The State of Ransomware in Healthcare 2022 Report, the ransom payment rate by healthcare is 61%, above the cross-sector average of 46%. Hospitals need to keep their systems up and running to avoid an impact on care delivery.

Hospital ransomware attacks are a lucrative business model for criminals

Ransomware has become a lucrative business model for cybercriminals. So how much money does ransomware make? The average ransom payment is almost a quarter-million dollars, according to a 2021 IDC survey

With the rise of cryptocurrencies, it’s harder to trace payments. In addition, ransomware-as-a-service (RaaS) models enable the proliferation of those attacks, with certain ransomware gangs even specializing in healthcare. 

Consider the example of Conti — a RaaS model variant in which attackers gain unauthorized access to hospital networks through spearphishing campaigns, stolen remote desktop protocol (RDP) credentials, and unpatched assets. The FBI identified at least 16 Conti attacks targeting U.S. healthcare and first responder networks. Conti typically steals victims’ files and encrypts the servers and workstations to force a ransom payment.

Ransom demands have been as high as $25 million. Paying ransoms, however, is a controversial decision. Gartner forecasts that, by 2025, 30% of nation-states will have laws regulating ransomware payments. In the U.S., authorities such as the FBI and Cybersecurity and Infrastructure Security Agency (CISA) advise victims not to make payments because there’s no guarantee they will regain access to their systems and data.

Medical ransomware costs go beyond the ransom itself

In 2021, the FBI received 3,729 complaints of ransomware, with victims reporting over $49.2 million in adjusted losses. The financial loss is not limited to the ransom itself.

The cost of operational disruption

Hospitals might have to stop receiving patients due to not being able to access their systems and data. In addition, recovering from a breach and having systems running again can take time. Transitioning to emergency protocols and implementing mitigation measures are equally onerous.

The impact of operational disruption can be understood in terms of:

  • Disruption of patient care. As we will discuss in the next section, shutting down hospital operations might cause delays in treatments and emergency patients to be redirected to other facilities for critical services, which can potentially impact health outcomes. 
  • Impact on patient safety. Hospital staff needs quick access to healthcare systems and patient records to properly administer medications. In a potential emergency scenario, not having access to this data could result in the use of inappropriate treatment. 
  • Financial impact. Hospitals run like a business. By stopping admissions and canceling surgeries, for example, there’s a direct loss of revenue due to services not being delivered.

The cost of a damaged reputation

Ransomware in hospitals brings costs to the organization’s reputation and might public relations and crisis management efforts. As per a study commissioned by Armis, “49% of potential patients said that they would change hospitals if their healthcare organization was hit by a ransomware attack.” With patients switching to other facilities, there’s also a direct impact on hospital revenue.

The cost of non-compliance

Healthcare is a highly regulated sector. HDOs are subject to the Health Insurance Portability and Accountability Act (HIPAA), a national law that protects patient records. HIPAA-covered entities are required to notify authorities of breaches of unsecured protected health information (PHI) and are subject to fines for HIPAA violations. 

No wonder healthcare has the highest average data breach cost for 12 consecutive years, according to IBM Security’s annual Cost of a Data Breach Report 2022. The study also suggests the existence of a longtail of costs. In highly regulatory environments, such as healthcare, only 45% of the breach costs are accrued in the first year, says IBM.

Patient care is the biggest concern

We are past the question of whether or not healthcare ransomware attacks can put lives at risk — the answer is yes. A report by Ponemon Institute highlights the life-or-death consequences of ransomware targeting healthcare, stating that “nearly one in four healthcare providers reported an increase in mortality rate due to ransomware.” 

Longer hospital stays and delays in tests and treatments are among the top negative consequences of ransomware in healthcare.

Ponemon report shows the negative impact of healthcare ransomware on patient care

Source: Ponemon Institute Research Report

A notorious example of ransomware shutting down hospitals and affecting patient care was the attack on the University Hospital Düsseldorf in 2020. In the case of this hospital attacked by ransomware, the computer systems crashed and the organization was unable to access data. As a consequence, an emergency patient who needed urgent admission had to be rerouted to another facility and sadly passed away.

For an in-depth look at the impact of medical device ransomware, watch our webinar: 

Ransomware in Healthcare: The Game Has Changed

How to minimize ransomware in healthcare

According to a survey commissioned by Armis, 58% of the surveyed healthcare IT pros stated that their organizations have been hit with ransomware. With a target on their back, hospitals need to reinforce their security safeguards to minimize the risks of a healthcare cyberattack. 

You can start your mitigation strategy by closing these top 3 hospital cybersecurity gaps:

1. Poor cyber hygiene

Cyber hygiene is a set of cybersecurity best practices that help to maintain the security of your digital assets and minimize attacks. Updating your software, replacing legacy technology, and using strong passwords are a few examples. 

Patching your systems is critical because software vulnerability exploits are one of the most common attack vectors. In fact, the WannaCry ransomware, which ravaged the healthcare sector, exploited unpatched Windows vulnerabilities.

Another important cyber hygiene measure is to back up your files and store them independently to avoid losses in case of a breach.

2. Lack of security awareness

As per Verizon’s report, 82% of data breaches involve the human element — for example, falling victim to spearphishing or having credentials stolen. So it’s critical to train hospital staff on cyber risks and security best practices. Here’s what you can do:

  • Educate your staff about phishing emails, teaching them to identify those threats. 
  • Raise awareness about the risks of suspicious emails with malicious links and attachments.
  • Explain the importance of strong and unique passwords and implement multifactor authentication measures.
  • Warn about the risks of infected USB drives, external hard drives, and compact disks.

3. Blind spots in asset visibility

One of the challenges of healthcare cybersecurity is to have a complete picture of all digital assets, including IT, OT, IoMT, and IoT devices. You cannot protect what you cannot see, but only 36% of Ponemon Institute’s ransomware report respondents say their HDOs know where all medical devices are.  

Comprehensive asset visibility requires bridging the silos between clinical engineering and IT security. You need to track all devices as well as understand how they are used and which vulnerabilities they pose.

Why you need agentless, passive monitoring in real time

A critical element of a ransomware mitigation strategy in healthcare is to deploy an agentless cybersecurity solution that tracks all devices, including those that cannot accommodate security agents. 

Your cybersecurity solution also needs to be always on, monitoring your environment passively and continuously. Traditional IT security solutions such as scans won’t work for hospital environments because they can cause crashes, which are especially dangerous in the case of sensitive medical devices touching patients.

Accelerate healthcare ransomware mitigation with Armis

Armis utilizes passive agentless technology to provide unified asset visibility and security for every managed and unmanaged IT, OT, IoMT, and IoT asset in your environment. Armis unites biomedical, security, and IT teams to identify all digital assets, assess and prioritize risks, and highlight mitigation information for improved healthcare cybersecurity.

Your team can understand vulnerabilities and what actions they should prioritize in order to stop attacks. For example, you can see which devices are unpatched or have outstanding FDA recalls. You can also integrate Armis with enforcement points such as NAC systems and firewalls for proactive network segmentation and automated incident response. 

Looking for more information on how to minimize ransomware attacks in healthcare? Get in touch with our team to discover what Armis can do to shield your operations.

Frequently Asked Questions

How does ransomware work?

Ransomware is a type of malware that holds a company’s data or systems hostage. Attackers infiltrate the network, then start moving laterally to gain more control over the environment. Attackers encrypt files, lock the organization out of the system, and make a ransom demand to restore access or avoid leakage of sensitive data. Attackers claim that they will unencrypt the data on receipt of payments, but that is not always the case.

How to report ransomware attacks?

Ransomware is a federal crime in the United States, so victims should report this type of cybercrime to federal authorities. Here’s how:
Contact the field offices of the FBI or the U.S. Secret Service. 
File an online report with the FBI’s Internet Crime Complaint Center
File an incident report with the Cybersecurity and Infrastructure Security Agency (CISA).

Check out all IoMT Playbook Chapters:

  1. Chapter 1 – How to innovate in healthcare with IoMT devices without exposing the expanding cyber attack surface
  2. Chapter 2 – The Hurdles of Internet of Medical Things Security
  3. Chapter 3 – A history of medical device hacking
  4. Chapter 4 – How to mitigate ransomware in healthcare 👈 you are here

Get Updates!

Sign up to receive the latest news

path-12-path-12-path-12-mask