The sensitive nature of information gathered about patients makes healthcare organizations particularly vulnerable to ransomware attacks. Seeking a large payday, opportunistic hacking groups target the healthcare sector believing that disrupting critical patient services or stealing valuable data is more likely to result in payouts. This article looks at ransomware in healthcare by focusing on some recent incidents, statistics, and mitigation strategies.
Ransomware in Healthcare: The Numbers
Think of the all the types of data collected by a typical healthcare provider about their patients: names, addresses, social security numbers, symptoms, dates of admission/discharge, passport photos, and cardholder data. All this information is extremely valuable in the wrong hands. Furthermore, due to the critical nature of healthcare services, taking an organization’s IT systems down and holding them to ransom may well result in getting paid.
The result of these factors is that ransomware is rampant in healthcare. Attackers attempt to gain entry routes into IT systems and lock down computers and servers with malware. Here are some of the most telling statistics.
- A 2021 report found that 34 percent of surveyed healthcare organizations were hit by ransomware in the last year.
- The same report found that 34 percent of victims paid the ransom to get their data and/or systems back.
The total cost of ransomware attacks on healthcare organizations was $20.8 billion in 2020.
- Recent Ransomware Attacks on Healthcare Organizations
There have been innumerable high-profile ransomware attacks on healthcare organizations globally over the last 18 months. Hacking groups don’t distinguish between public or private service providers—every organization is a target. Here are some recent examples that serve as important reminders of how ransomware can impact the provision of critical health services or expose sensitive patient information.
Partnership HealthPlan of California: March 2022
The Partnership Healthplan of California (PHC) is a non-profit community-based healthcare organization that provides services across 14 counties in Northern California. In March 2022, the ransomware group as Hive made claims on their website that they had stolen 400 GB of data that included over 850,000 records that included social security numbers and home addresses of PHC's patients. The claim was later removed from Hive's website. To date there has been no confirmation of Hive demanding payment or if such a payment was ever made.
University Medical Center, Nevada: June 2021
The REvil ransomware group (of JBS and Kaseya infamy) breached the systems of University Medical Center in Las Vegas and posted personally identifiable information (PII) online in June 2021. Luckily, the ability to continue caring for patients was not impacted by this attack, and no clinical systems were compromised. The attackers published information about numerous patients that included social security numbers and passport photos.
REvil is a ransomware-as-a-service (RaaS) operation that leases out pre-made ransomware variants to any customer willing to pay. Because subscribers to a RaaS service can access ransomware without much technical knowledge, this type of operation increases risks for healthcare organizations who are obvious targets to turn to. It’s unknown at the time of writing how the hackers gained access to sensitive patient information at the hospital.
Scripps Health, San Diego: May 2021
Scripps Health became the victim of a severe ransomware attack in May 2021 that resulted in over 147,000 patients having their personal information breached. The breached data included names, addresses, medical record numbers, and more. Scripps Health had to send breach notifications to all affected individuals and offer credit monitoring and identity protection support services.
An opinion piece written in the San Diego Union-Tribune by the CEO of Scripps Health highlighted the attack’s impact. “Our IT team detected unusual network activity on our systems...we took down our systems; access to electronic medical records was restricted. This created operational disruption at our hospitals and facilities.”
It appears this attack used the double-extortion technique increasingly favored by threat actors. Not content with just locking down systems, the intruders first acquired files with sensitive information before attempting to lock down important IT systems. It took almost a month to get the organization’s patient portal back running again.
HSE, Ireland: May 2021
Ireland’s entire public health system, the Health Service Executive (HSE), made global headlines in May 2021 when it became the victim of a vicious ransomware attack. Officials working for the HSE said the attack impacted every single aspect of patient care. The ramifications of this cyber attack were such that Ireland was the only country in the EU not ready to adopt the EU travel certificate system well over a month after the attack happened.
Reports emerged in the media that sensitive patient information was also leaked online as a result of the attack. In one instance, the medical file of a patient in palliative care surfaced on the dark web. Often, the perpetrators of ransomware attacks trickle stolen information online to encourage victims to pay up before the full data is released.
University of Vermont Medical Center: October 2020
The University of Vermont Medical Center suffered a ransomware attack in October 2020. The initial detection of the attack coincided with the IT department finding a note instructing the hospital to contact the perpetrators. Often, the first message a victim receives about an attack is payment instructions to unlock their systems.
According to an official statement, the IT team had to scan and clean 5,000 computers and endpoints. The response to the attack also involved rebuilding critical computing infrastructure. The rebuilt infrastructure was then populated with backed-up files and data.
With IT systems voluntarily being shut down to contain the attack, patient services were directly impacted. Patients had appointments canceled and important treatments delayed. This attack was unique both for its lack of initial ransom demand and for the intensity with which IT systems were targeted.
Mitigation Strategies for Ransomware in Healthcare
Back Up Data
Some may argue that backing up data does not help in a world where threat actors try to steal sensitive information before locking down systems. However, the UVM Medical Center attack shows that you can rebuild systems from backed-up data without needing to pay ransoms. Not every attack attempts to exfiltrate data, so backup remains a valid strategy.
Use Advanced Email Security
Threat actors favor phishing attacks as the initial attack vector for gaining entry to IT systems. These attacks use social engineering techniques to entice employees into downloading suspicious attachments or clicking suspicious links. An advanced email security solution can filter out emails before they even reach people’s inboxes.
Consider Data Loss Prevention Tools
A data loss prevention (DLP) tool can provide an extra method of defending against the leakage of sensitive information outside a healthcare organization. These solutions monitor data flow to detect any violations of pre-defined security rules. The DLP solution can implement protective steps such as terminating login sessions, immediately encrypting the targeted data, or sending rapid alerts to IT security teams.
Have A Robust Security Policy
A good security policy addresses the human element that is often involved in ransomware attacks (and many other forms of cyber attacks). You can have all the latest solutions in place, but human error remains a primary way that hackers gain entry points into a network.
Healthcare organizations need security policies that sets sensible rules and procedures for employees when using IT systems. All employees need to know their responsibilities to protect data. At a minimum, the policy should include the following:
- Requirements for setting strong passwords that outsiders can’t easily break
- Rules for using email applications, such as not clicking on links or downloading attachments from external email addresses
- An internet usage policy that establishes how employees can use the internet and what types of sites they can/can’t visit
- A physical security policy that sets rules and processes for ensuring outsiders can’t access sensitive data
One of the more chilling aspects of these attacks was how they all occurred in the middle of the Covid-19 pandemic. With health systems stretched and under pressure, cybercriminals regarded this as an opportunity rather than a time to enforce any kind of ethical boundary. All healthcare organizations are targets of ransomware at all times. Sharpen up your defenses to avoid the risk of not being able to provide services to patients.
To learn more about IRONSCALES’ award-winning anti-phishing solution, please sign up for a demo today.
This blog was updated in June 2022