How do hospitals prepare for ransomware attacks?
The healthcare sector has witnessed a serious escalation in cyber attacks in recent years, especially those related to ransomware. These attacks pose an existential threat to healthcare systems, as they disrupt vital hospital operations, from disabling electronic health records and canceling surgeries, to forcing ambulances to change their routes. More seriously, these attacks can lead to increased patient mortality rates, making them a direct threat to human life.
But why are hospitals ideal targets for ransomware attacks, and how can you prepare for these attacks that have increased significantly over the past months?
First, why are hospitals ideal targets for ransomware attacks?
The European Union Cybersecurity Agency (ENISA) report showed that ransomware attacks accounted for 54% of cyber incidents targeting the healthcare sector during the period from January 2021 to March 2023. However, the agency said that only 23% of healthcare organizations have a dedicated ransomware response program in place in 2023.
Meanwhile, ransomware attacks targeting U.S. hospitals are on the rise. According to data from the U.S. Department of Health and Human Services, healthcare organizations around the world experienced more than 630 ransomware cyberattacks in 2023 alone, with the vast majority of those incidents occurring in the United States, at 460. The department’s data also showed a 264% increase in major ransomware-related data breaches over the past five years.
Statistics also indicate that the average cost of a data breach in the healthcare sector is around $11 million , highlighting the significant economic impact of these attacks.
Hospitals are ideal targets for ransomware attacks for many reasons, including:
1- The vital importance of data:
Hospitals have huge amounts of sensitive and vital data, such as patient records, lab results, and medical images. This data is of great value, as attackers can use it to blackmail the hospital for a large ransom or sell it on the dark web.
2- Lack of security expertise:
Hospitals now rely heavily on technology in all aspects of their operations, from managing medical records to operating medical devices, yet hospitals often lack the resources to provide comprehensive security protection for their systems, leaving them vulnerable to cyber attacks in general, and ransomware attacks in particular.
3- Willingness to pay:
Unlike other businesses that may be able to afford a temporary downtime in their services, hospitals operate 24/7 to provide urgent medical care, meaning any downtime due to a ransomware attack could put patients’ lives at risk, making them willing to pay.
A 2022 Sophos survey across 31 countries found that the healthcare sector is the most likely to pay ransom, because disrupting essential medical services, such as surgeries and medical procedures, would put patients’ lives at risk. Hospitals are often willing to pay ransoms to restore their data and get their systems back up and running, making them an attractive target for attackers.
Second, what are the effects of ransomware attacks this year?
This year, the healthcare sector has seen massive ransomware attacks that have brought major hospitals around the world to a halt. In June, major hospitals in London cancelled surgeries after Synnovis, which provides laboratory services to major hospitals in London, was hit by a ransomware attack. This affected all of Synnovis’ IT systems, causing many of its services to be interrupted .
The attack caused significant disruption to services, leading to the postponement of thousands of surgeries and medical procedures across London, and as a result, a public health emergency was declared in the UK.
Synnovis refused to pay the $50 million ransom demanded by the hackers, prompting them to publish up to 400GB of patient data on the dark web to blackmail the company, which the company refused to pay.
The stolen data included patient names, dates of birth, NHS numbers, blood test results and spreadsheets containing sensitive financial information. Experts have described the attack as one of the most serious cyber attacks ever seen in the UK.
Ascension Health System —one of the largest nonprofit health care systems in the United States, with 140 hospitals and 40 senior living facilities in 19 states— was hit by a massive ransomware attack in May. The attack disrupted access to electronic health records, disrupted communications by affecting internal communications at hospitals and facilities, and took down various systems used to order tests and deliver medications. It took Ascension more than a month to fully restore its electronic health records.
The Change Healthcare ransomware attack in February was one of the largest health and medical data breaches in U.S. history, given the company's pivotal role in processing bills and insurance for hundreds of thousands of health care providers.
According to Change Healthcare's website, its systems process more than 15 billion billing transactions annually, and one in three patient records in the United States passes through its systems, so its recent breach is expected to have affected at least 100 million people living in the United States.
The prolonged downtime caused by the cyberattack lasted for weeks, causing widespread outages at hospitals, pharmacies, and healthcare facilities across the United States, prompting the company to accept a ransom payment. In early March 2024, the company paid a $22 million ransom to ALPHV — also known as BlackCat — a Russian group.
By March 13, Change Healthcare had received a secure copy of the stolen data, for which it had paid $22 million, allowing the company to begin the process of searching through the dataset to determine what information was stolen in the cyberattack, with the goal of notifying as many affected individuals as possible.
On March 28, 2024, the US government offered a reward of up to $10 million for information leading to the arrest of the ALPHV group.
Analysts and industry officials said the disruptions caused by the Change Healthcare cyberattack cost US health care providers as much as $1 billion in just one day.
Andrew Witty , CEO of UnitedHealth Group, the company that owns Change Healthcare, revealed shocking details about the attack at a US Senate hearing in April, admitting that the massive breach, one of the largest data breaches in US history, was caused by a failure to enable two-factor authentication on one of the company’s main servers.
His admission did not sit well with members of the Senate Finance Committee, who spent more than two hours grilling him about the attack and broader health care issues. “This breach could have been stopped using basic cybersecurity principles,” Senator Ron Wyden told White House.
Third, how do hospitals prepare for ransomware attacks?
Last month, the Black Hat conference in Las Vegas featured a realistic simulation of a cyberattack on a hospital. The exercise, called Operation 911 , was organized by cybersecurity firm Semperis .
The exercise lasted approximately two hours, during which time participants experienced a realistic scenario of a ransomware cyberattack on a Las Vegas hospital. By hacking into an external IT vendor’s account, the fictitious hackers were able to shut down critical systems at the hospital, causing significant disruption to operations.
The exercise participants faced significant challenges similar to those faced by healthcare organizations in the real world, having to make quick decisions under extreme pressure while simultaneously protecting data and patients, identifying the source of the attack and tracking the movements of the hackers, and balancing the need to stop the attack with the need to maintain the continuity of healthcare services.
On the other side of the exercise, the Red Team – the ransomware gang targeting the hospital – used a variety of malicious tactics to launch their attack on the hospital. In addition to stealing passwords and moving horizontally across the network, they implemented a shadow copying technique to ensure they were not easily detected.
The team also used the local press to pressure the hospital, and this pressure forced the management to make hasty decisions that led to dire consequences. These tactics showed how sophisticated ransomware attacks are and how attackers can exploit even the smallest vulnerabilities.
This exercise showed that the confrontation between hackers and the health organization is similar to an asymmetric war, because once the hacker is able to penetrate the system, he begins to spread and spread within the network like a virus, exploiting vulnerabilities, hiding his traces, and changing the system configurations. At this stage, it becomes practically impossible to expel him or stop his malicious activity, which leads to the disruption of medical services, the leakage of sensitive data, and incurring huge financial losses.
The Semperis exercise demonstrated that healthcare organizations still face significant cybersecurity challenges, underscoring the importance of being well prepared for ransomware attacks and explaining that the lack of a clear response plan can lead to chaos and huge losses.
“Many organizations still struggle to understand the exact mechanisms that hackers use to carry out their attacks, ” Semperis CEO Mickey Pressman told Axios . “These attacks often evolve very quickly and take unexpected paths, making them extremely difficult to contain.” He noted that many organizations still rely on traditional solutions that are inadequate to protect their data.
Therefore, Pressman called on healthcare leaders to conduct ongoing training to address the growing ransomware threat, so that executives are prepared to make the right decisions under the intense pressure of an attack.