In this second installment of the series, we discuss the impact of ransomware specifically on the healthcare industry. In the 15th annual Ponemon Institute “Cost of a Data Breach Report” published by IBM Security earlier this year, hundreds of breached companies and thousands of individuals were interviewed across 17 different industries and 17 countries/regions. For the 10th year in a row, the healthcare industry led all others in most cost categories and the United States led all other nations. While the overall average cost of a data breach was $3.86M, the average in healthcare was $7.13M, which was a more than 10% increase from the 2019 study, and the average cost for all types of breaches in the USA was $8.64M. In terms of types of breaches, malicious attacks (which include ransomware) remained the most costly for the 5th year in a row and represented more than half of the reported breaches (an increase of 24% from just a few years ago). For more details, download the full report or use the interactive calculator at https://www.ibm.com/security/digital-assets/cost-data-breach-report. From this and other similar reports, we can clearly see that the healthcare industry has been disproportionately victimized by ransomware, but why healthcare and not, say, financial services? There are a number of reasons for this.
One difference that sets the healthcare industry apart from others is that it is one of the few industries where human lives are at stake. While ransomware victims in other industries may have the luxury to pursue other means to recover from a ransomware attack such as detailed forensic investigations, recovery from backups, manual data re-entry, or simply living with the loss, the inability to provide life-saving care to patients can create an extreme sense of urgency for healthcare providers to pay a ransom and recover as quickly as possible. Earlier this year, at a university hospital in Düsseldorf, Germany, ransomware crippled the entire IT network. The hospital was forced to cancel surgeries and reroute ambulances to other area hospitals, but one critical patient who was turned away did not survive the nearly 20 mile trip to another hospital.
Another reason that makes healthcare providers an attractive target is the relatively soft cybersecurity defenses. While there are some large healthcare organizations and health insurance companies, there are also many small providers with limited resources to spend on people, technology, and training to protect their data. The lack of resources can lead to many weaknesses in defenses such as unpatched vulnerabilities in application and operating system software, untrained users who are easily tricked into providing their login credentials to criminals or open malicious email attachments, or misconfigured software using default or insecure passwords that are never changed. These organizations are also more likely to be unprepared to recover from such an attack, because they did not perform backups, they stored their backups on the same or nearby server on the network (which were also encrypted by the ransomware), or they never tested and verified that their backups could be successfully restored in the event of a disaster. This can make them easy targets for ransomware hackers who can only make money if they successfully penetrate the defenses of these entities.
Although it is not the only regulated industry, HIPAA and similar regulations can sometimes cause an unfortunate side effect. If a healthcare provider is successfully attacked with ransomware and, as is often the case, backups don’t exist or don’t work or were also encrypted, then the entity not only has to worry about the business impact of the breach, but also the potential for substantial regulatory fines and legal fees. Some entities look at the cost of paying the ransom and see it as a cost-effective way to sweep the breach under the rug and hope that the regulatory agencies never find out about the breach. Although this is a risky choice (it only takes one disgruntled or loose-lipped employee for this secret to be revealed), it can be a financial incentive that entices certain organizations or company officers to take the risk. The result is more criminals targeting healthcare organizations and also demanding higher ransoms.
In addition to the above differences, healthcare providers still hold much of the same valuable data that other industries hold on their customers. For example, most accept payments by credit and debit cards, which are attractive to criminals. However, unlike industries such as retail, they also typically hold social security numbers, dates of birth, and other information that can have value for identity theft and also make stolen credit/debit cards more valuable than they would be on their own. Finally, health insurance fraud (specifically, using another’s health insurance account information to fraudulently receive expensive medical care) provides another avenue for criminals to monetize data stolen from healthcare organizations. Although exfiltration and theft of data isn’t necessarily the primary goal of ransomware hackers, it certainly can contribute to the attractiveness of the healthcare industry as a target for some criminals.
In the 3rd and final article in this series, we will look at some recent trends in healthcare ransomware that are contributing to the problem and also examine some of the most effective ways that companies of all sizes can reduce their risk of becoming the next victim.