Some Straight Talk on Ransomware in Health Care

“U.S. companies are expected to endure over 65,000 ransomware attacks this year — and that’s “a conservative number.”

John Chambers, Founder JC2 Ventures, former CEO, Cisco Systems
Image credit:

Almost half of all data breaches in hospitals and the wider healthcare sector result from ransomware attacks, according to new research. And the majority of health systems that have not been hit by ransomware expect an attack in the future.

In a May 2021 white paper titled The State of Ransomware in Healthcare 2021, cybersecurity vendor Sophos shares their latest findings on the state of ransomware in the healthcare sector. It explores the prevalence of ransomware in healthcare, its impact on victims, the cost to remediate ransomware attacks, and the proportion of data victims were able to recover after they paid the ransom. The survey also reveals how healthcare stacks up with other sectors, as well as future expectations and readiness of healthcare organizations in the face of these attacks.

Three hundred twenty-eight respondents completed the survey. The 328 healthcare IT decision-makers came from all geographic regions surveyed: the Americas, Europe, the Middle East, Africa, and Asia Pacific. A summary of key findings from the report follows:

  • 34% of healthcare organizations were hit by ransomware in the last year.
  • 65% that were hit by ransomware in the last year said the cybercriminals succeeded in encrypting their data in the most significant attack.
  • 44% of those whose data was encrypted used backups to restore data.
  • 34% of those whose data was encrypted paid the ransom to get their data back in the most significant ransomware attack.
  • However, on average, only 69% of the encrypted data was restored after the ransom was paid.
  • 89% of healthcare organizations have a malware incident recovery plan.
  • The average bill for rectifying a ransomware attack, considering downtime, people time, device cost, network cost, lost opportunity, ransom paid, etc., was US$1.27 million. While this is a considerable sum, it’s also the lowest among all sectors surveyed.

The data show that healthcare is less able to stop ransomware than other sectors. This is likely because of the financial and resource challenges that healthcare IT faces. These teams are commonly understaffed, and they were particularly stretched thin last year due to the pandemic. At the same time, many healthcare organizations don’t want to divert funds to cybersecurity when those funds could be used to buy medical resources that more directly relate to patient care. Another possible factor contributing to the higher impact of ransomware on healthcare is legacy equipment that is difficult to update or patch, providing easy entry points for attackers.

Last year researchers found that 83 percent of medical imaging equipment in hospitals, such as MRI and mammography machines, were running unsupported Windows operating systems and remained unpatched against well-known vulnerabilities. However, the problem goes back much further. In 2016, HIPAA Journal reported on three hospitals that were infected with malware through legacy medical devices (the attackers used “ancient exploits” of Windows XP), despite having modern cybersecurity defenses installed on the broader network.

To make matters worse, hospitals also frequently lack proper network segmentation, which increases the overall attack surface of the organization and the risk of lateral movement by an attacker. Of particular concern is the exposure of medical devices, which are usually connected and reachable from the main network. Hospitals have an incredibly diverse third-party ecosystem which poses numerous security challenges. These third parties range from outside doctors, medical clinics, and diagnostics labs to software providers, billing services, insurance, equipment providers, service providers, and other contractors.

To pay, or not to pay. That is the question. – 34% of respondents to the Sophos survey paid the ransom. However, what attackers omit when issuing ransom demands is that even if you pay, your chances of getting all your data back are slim. On average, organizations that paid the ransom got back just 65% of their data, leaving over a third inaccessible. The other risk organizations run when deciding to pay the ransom is that the hackers may embed additional time triggers into the system that can be activated to re-encrypt the data so additional ransom demands can be made. Most cybersecurity experts recommend that you do not pay the ransom, although they admit that is easy to say but difficult to do when your systems have ground to a halt due to a ransomware attack.

Also, consider the cost to recover from a ransomware attack – When we look at the average approximate cost to organizations to recover from ransomware attacks and rectify the impact of their most recent such attack (considering downtime, hours lost, device cost, network cost, lost opportunity, ransom paid, and so on), healthcare reported the lowest overall remediation cost at US$1.27 million. This number may be higher depending upon the size of the system, the amount of data being held hostage, and the organization’s perceived capability to pay (“deep pockets”).

So, what can you do to prevent disruption from ransomware attacks? – The U.S. Government Cybersecurity and Infrastructure Security Agency (CISA) recommends these best practices:

  • Require multi-factor authentication for remote access to OT and IT networks.
  • Enable strong spam filters to prevent phishing emails from reaching end users. Filter emails containing executable files from reaching end users.
  • Implement a user training program and simulated attacks for spear phishing to discourage users from visiting malicious websites or opening malicious attachments. Reenforce the appropriate user responses to spear-phishing emails.
  • Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. Prevent users from accessing malicious websites by implementing URL blocklists and/or allow lists.
  • Update software, including operating systems, applications, and firmware on IT network assets, promptly. Consider using a centralized patch management system; use a risk-based assessment strategy to determine which OT network assets and zones should participate in the patch management program.
  • Limit access to resources over networks, especially by restricting RDP. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require multi-factor authentication.
  • Set anti-virus/anti-malware programs to conduct regular scans of IT network assets using up-to-date signatures. Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware.
  • Implement unauthorized execution prevention by Disabling macro scripts from Microsoft Office files transmitted via email. Implementing application allow-listing, which only allows systems to execute programs known and permitted by security policy. Monitor and/or block inbound connections from Tor exit nodes and other anonymization services. Deploy signatures to detect and/or block inbound connection from Cobalt Strike servers and other post-exploitation tools.

But what do I do if my organization is the victim of a ransomware attack? – Again, referring to the CISA recommendations:

  • Isolate the infected system(s).
  • Turn off other computers and devices. Power-off and segregate any other computers or devices that shared a network with the infected computer(s) that have not been fully encrypted by ransomware.
  • Secure your backups. Ensure that your backup data is offline, secure, and free of malware.

Until recently, there has been no central database that shows how many attacks have been carried out and how much has been paid out in bitcoin. Enter Ransomwhere, the crowdsourced ransomware payment tracker with a punny name that means to shine a light on these cyberattacks that have increasingly rattled governments and businesses worldwide. Jack Cable, a security architect at the cybersecurity consulting firm Krebs Stamos Group, launched the site on Thursday.

As Alyse Stanley reports in Gizmodo, the way it works is Ransomwhere keeps a running tally of ransoms paid out to cybercriminals in the bitcoin cryptocurrency. Ransomwhere collects this data and makes it available to the public for anyone to view or download. And because the site is crowdsourced, it also incorporates data from self-reported incidents of ransomware attacks, which anyone can submit. To make sure these reports are the real deal, each is required to include a screenshot of the ransomware payment demand, and every case is reviewed manually before being made publicly available, according to its FAQ page. If an approved report’s authenticity is later called into question, moderators can strike it from the record.

Ransomware will continue to be a growing concern for organizations and patients alike. Even though most ransomware attacks to date have targeted patient data and hospital systems, there is potential for far worse. As technology continues to develop, cybersecurity efforts need to keep pace.

If you are interested in learning more about this topic, I highly recommend that you check out this online course from my friend and colleague Tom Giordano. His “Plain and Simple” series of courses is excellent.

Image credit: Quovadis Learning Systems

9 thoughts on “Some Straight Talk on Ransomware in Health Care

  1. An interesting question is “Why do hackers go after healthcare sites”? It seems that there would not be much interesting in finding those who have had a cardiac operation, or who are overweight or who have had mental problems. The core of this issue seems to be that our healthcare records are financially worth far more on the black market than even our social security info. So this all seems to come down to the almighty dollar.

    Additionally many of us, including me, assume that hackers are in some far off land in a dark shack full of computers and blinking lights. And many are. But it often surprises me to learn that some of these “hackers” are our own employees …. disgruntled for some reason. And then there are those who really don’t do this hacking for $ but for some social reason or message they want to get across.

    Holding people hostage and demanding ransom has been around for quite some time. The new aspect is now it is being done on a much broader scale not by muscular pirates (arg!) but my very smart computer geeks from the solitude of their homes.

    • Lots of press about bad actors in government (e.g. China, Russia) these days. But, as you correctly point out, there’s just as much risk from private bad actors and companies exploiting vulnerabilities in systems to hold data hostage.

Leave a Reply