Does Poor Cybersecurity Affect Healthcare?

2022 was a record-breaking year for ransomware generally, but one sector that felt a significant impact was healthcare. With a 93% increase in attacks from 2020, the sector was ranked in the top 3 verticals targeted by cybercriminals last year. Healthcare organizations in the United States suffered the most with 37 of the 58 publicly recorded attacks, while the Hive ransomware group was the most active in this sector. Why are healthcare organizations, big and small, such attractive targets for ransomware gangs?

Ransomware attacks have serious consequences for organizations, but for those in healthcare there are more serious issues to consider, namely patient care.  According to a survey by the Ponemon Institute, more than half of healthcare ransomware victims reported that attacks had led to disruptions in patient care, which were tied to complications with medical procedures. The biggest impact reported was an increase in the likelihood of reverting to care diversion after an attack.

Some incidents, such as the attack on Baton Rouge Medical Center, lead to minimal disruption when medical notes were locked or encrypted. During this ransomware attack, the center moved to paper record keeping but were still able to effectively treat their patients. Other attacks cause bigger repercussions which can make it impossible for patients to be cared for during the attack and its aftermath. The Center Hospitalier Sud Francilien located just outside Paris, was forced to send patients to other healthcare facilities and postpone surgeries when they were struck by ransomware, a fallout which could endanger patient care and in some instances, their lives.

A very rare situation occurred in December last year, when LockBit released an apology and gave a free decryptor to SickKids hospital in Toronto, following an attack by one of their affiliates. This move certainly made headlines and poses the question of whether these ransomware groups may have a conscience. Unlikely, but this attack certainly violated a rule set within the LockBit organization.

Last year it was reported that the average spend for healthcare organizations to recover from ransomware attacks was around $10.1 million. Even though this is not the biggest figure seen across the verticals, in an industry where budgets are stretched beyond capabilities, this could severely impact a small to medium sized facility for years to come.

There is no doubt that hackers see dollar signs when they think about exfiltrating patient data. This type of information is highly sensitive and can range from personal identifiable information (PII) to personal health information (PHI) and sometimes even financial information in health insurance documentation.

Data was exfiltrated in 71% of attacks on this sector last year. The amount of data exfiltrated in each attack can differ substantially, but its typical for thousands of patients’ data to be compromised. During the attack on Doctors Center Hospital in Puerto Rico for example, nearly 1.2 million patients were affected when their information was exfiltrated by Project Relic.

This data is extremely valuable, not only to the organization’s but also to the hackers. Hackers make the assumption that to protect this type of data from leaking onto the dark web, victims will succumb to extortion and pay the ransom. Even in the event that the organization does not pay the ransom, the data doesn’t lose value to the criminal gang as it carries a dark web price tag of $1000 for each patient record.

Many organizations are reluctant to report on a data breach or cyberattack, due to the damage it can cause to their reputation. It can be argued that the delay or complete lack of reporting can cause identity theft or credit issues for those whose information has been compromised. Some facilities, such as Yuma Regional Medical Centre, choose to provide free credit monitoring and ID protection as a form of compensation to those impacted, but this is not always the case.

In the US, under the HIPPA security rule, any breach affecting over 500 individuals must be reported to the HHS within 60 days of discovering the incident. Healthcare organizations must then also notify individuals within those 60 days unless law enforcement requests a delay. This early notification can be somewhat beneficial for those affected as it means they can be more vigilant and aware of the risks associated with leaked personal information.

When it comes to breaches laws vary by country, with different time scales given to report data breaches, but in healthcare especially, should there be a universal rule in order to keep patients safe and organizations/facilities accountable?

Attacks on the healthcare sector will never fade and given the sophistication of some of the ransomware groups in operation, it is feared that the attacks will just continue to increase in number year on year. When it comes to securing sensitive patient information, it is essential for healthcare organizations to put cybersecurity at the top of their priority list. Of course, there are more urgent issues on their mind, but neglecting the security of their data could put them in a very serious predicament very quickly, risking not only their reputation, but also their patients.