Threat actors target hospitals and healthcare providers while others breach third-party suppliers

Of the many high-profile cyberattacks to make headlines in the past few years, few provoke a feeling of concern like ransomware attacks on hospitals and healthcare institutions. With patients’ lives on the line and a wealth of incredibly sensitive data, these organizations present a compelling target for ruthless cybercriminals.

However, it isn’t just enterprise-level institutions that find themselves targeted by ransomware groups. Small healthcare companies and specialty clinics are increasingly reporting ransomware attacks at every link in the healthcare supply chain – from insurance providers to printing services and data processors.

This trend suggests that cybersecurity initiatives undertaken at major healthcare institutions have been largely successful overall. It also emphasizes some of the important differences between large, well-funded organizations and their smaller partners.

Smaller Organizations Make Easier Targets

Small and mid-sized organizations in the healthcare space make convenient targets for opportunistic cybercriminals. In many cases, these organizations have access to the same highly sensitive data that major hospitals process every day. However, the security resources and technologies protecting these records are often far more vulnerable to attack.

The trend towards targeting smaller organizations in the supply chain follows a larger pattern throughout multiple industries. Analysts report similar activities happening in finance, telecommunications, and education.

The situation in healthcare is arguably more urgent though. Nine out of ten IT professionals working in the healthcare industry report experiencing a ransomware attack in the last year. These attacks disrupt patient care and deeply impact the organization’s ability to provide effective care.

Additionally, the legal consequences of correlating ransomware attacks to patient outcomes has yet to be conclusively legislated. In 2021, an Alabama woman sued a hospital claiming that its lax security contributed to her baby’s death. One year later, the case is ongoing. Its outcome may establish a legal precedent for holding healthcare providers responsible for the consequences of ransomware attacks on their IT infrastructure.

In a healthcare sector more densely populated by small organizations, this kind of correlation could make it nearly impossible to do business. A small specialty clinic may not have the resources it needs to respond to a liability of that severity.

On the other hand, smaller healthcare organizations often don’t have the resources they need to build and operate fully functional security operations centers. Hiring and equipping a team of security analysts for in-house security operations can cost nearly $1 million per year.

Paying the Ransom Might Not Work

A 2022 study into ransomware attacks against healthcare organizations shows a disturbing trend. Faced with business-crippling ransomware attacks and the threat of patient liability, healthcare IT leaders are increasingly choosing the “lesser evil” of simply paying the ransom to get their data back and quickly restore operations.

In 2022, the number of healthcare organizations that admitted paying a ransom for their data nearly doubled compared to the previous year. However, only 2% of these organizations successfully recovered all of their data. The vast majority of targets only managed to recover part of their data, and there is always a chance victims simply never get their data back at all.

Healthcare organizations have the second-highest data recovery costs across all sectors, with the average cost of data recovery is just under $2 million, well above the global average of $1.4 million. Recovery takes time as well: 44% of organizations spend up to a week recovering from data disasters like ransomware attacks, and 25% require a full month.

There is also a growing trend towards purchasing cyber insurance to hedge some of the losses associated with ransomware attacks, but healthcare organizations appear to be lagging behind other industries in this regard. Healthcare leaders report encountering difficulties finding insurance providers and meeting the stringent cybersecurity standards set by insurers. Some insurers have even stopped paying the ransom demands all together.

Cybersecurity Challenges in the Healthcare Space

Overall, ransomware impacts the healthcare space in a more nuanced way than other industries. Healthcare providers regularly create and process highly sensitive data that attackers value, yet they can’t afford to reduce the interoperability and accessibility of that data.

The need for efficient, interoperable data structures gets in the way of most zero-trust frameworks and multi-factor authentication methods. Many healthcare organizations – especially smaller ones – are not willing to accept a tradeoff between security and usability. As a result, substandard security processes remain locked into their business processes far longer than in other industries.

Regulatory compliance can also complicate security decisions for healthcare organizations. Many compliance rules focus on the need for stringent security standards but may present challenges to smaller organizations. A small clinic might not have easy access to the technology and talent it needs to maintain compliance the way a large hospital can.

Secure Patient Data With a Cost-Efficient Security Stack

Healthcare organizations large and small need to invest in scalable, efficient security technologies that deliver proven results. With patient data on the line, there is little room for error and very little appetite for the risks associated with speculative and emerging technologies.

Healthcare leaders need to demonstrate that their systems and infrastructure are reliably secure. They are well-motivated to look for robust prevention-based security technologies that enforce practical security policies in key areas of the organization.

Anti Data Exfiltration (ADX) technology is one of the solutions that every healthcare organization should consider including in its tech stack. ADX does not commit valuable system resources to detecting threats at the network perimeter. Instead, it prevents network users and entities from exfiltrating data to external destinations.

This prevents malware from communicating with command-and-control centers based in foreign countries. It blocks attempts to download encryption executables to carry out ransomware attacks. Even if attackers successfully infiltrate your network, ADX ensures they cannot take data off your network and onto their own, effectively thwarting ransomware and extortion attacks.

BlackFog provides ADX protection to healthcare organizations of all sizes. Find out how our technology can help you maintain compliance and protect sensitive patient data from exfiltration.