Ransomware attacks are carried out on all types of organizations, costing companies and their customers millions. When these attacks are successfully carried out in hospitals, there are much higher stakes. Cyberattacks on hospitals expose medical information, interrupt medical systems, and put patients at risk.
Unfortunately, attackers are aware of the power they can wield when they breach the defenses of a healthcare organization, and the number of attacks is growing rapidly. More than two-thirds of healthcare organizations in the US said they had experienced a ransomware attack in 2021, up from 34% in 2020. Such attacks cause delayed chemotherapy treatments, ambulances being diverted from affected emergency rooms, and even interruptions in life-saving equipment.
For hospitals to avoid the consequences of ransomware attacks, it's essential to understand what ransomware attacks are, why attackers target hospitals, and ways to prevent successful attacks.
What is Ransomware?
Ransomware is a type of malicious software designed to block access to a computer system until a specified sum of money is paid. Ransomware can target files, computer systems, or entire networks, and the technology used to carry out such attacks is constantly evolving. Beyond the soaring ransom demands, ransomware attacks can cause costly disruptions to operations and the loss of critical information and data. There are a variety of ways that ransomware can be deployed and various things malware can accomplish once it's taken over a victim's device. Most modern sophisticated ransomware attacks are carried out discreetly so victims don't know a computer or network has been infected until the attacker reaches their goal and delivers a ransom demand.
Phishing attacks are one of the most common delivery methods for ransomware. These email attacks target a specific user with communications that masquerade as a company or person they can trust. Once the victim opens the email and clicks on an infected link or downloads a malicious file, the attacker can take over the victim's computer or gain access to other parts of the network. Some highly effective attacks go on to utilize social engineering to trick network users into allowing administrative access. This provides attackers with a larger attack surface to increase the level of damage by attacking multiple devices at once.
When the ransomware is effectively placed and deployed, network users are denied access until a ransom is paid. Denial of access is most commonly achieved with the use of file encryption. When files are encrypted, the only way to regain access is with a mathematical key known only by the attacker. Sometimes, the attacker combines the ransomware demand with a threat to leak sensitive data unless the ransom is paid.
The Cybersecurity Infrastructure and Security Agency (CISA), the FBI, and other law enforcement and cybersecurity professionals strongly advise against paying ransoms because there is no guarantee of decryption, and successful attacks often encourage the escalation of ransomware. When a network is under attack, it's common for the organization to shut down systems to avoid the spread of the attack throughout the network. Unfortunately, these protective measures can add to the cost of downtime.
Who Are the Victims of Ransomware Attacks?
Anyone with an internet connection can be a victim of a ransomware attack. Yet, not every individual or organization is a prime target. The biggest factors that make an organization a good target for a ransomware attack are vulnerability and potential for exploitation. For example, colleges and universities might be targeted because they have small security teams and easily accessible user bases, while financial institutions may present a larger ransom opportunity.
These industries are rated as the most likely ransomware targets.
- Banking and Financial Services: Financial organizations have access to extremely sensitive client information and large sums of money. As such, they've long been high on the list for cybercrime. However, this sector is accustomed to being a target and many regulations are in place that require these agencies to have significant cybersecurity measures in place.
- Manufacturing: In the past, manufacturing was an unlikely target for cybercrime. However, new technology and supply chain connections make the manufacturing sector combined with lax security make this sector an attractive target for modern hackers.
- Critical Infrastructure: Energy, oil, and utility companies are targets for ransomware attacks because they quickly create a sense of urgency. Healthcare facilities are also considered critical infrastructure because of the life-saving treatment they provide. As such, a ransomware attack on a hospital can create an urgent situation that demands an immediate response.
- Government: From local and state to federal government agencies, these are the organizations that keep society running. Government entities also often have sensitive data that makes them an attractive target for attack. While major government agencies are likely to have high-level security measures in place, local government and smaller agencies typically have limited protection.
- Education: Colleges, universities, and even public schools have become popular targets for ransomware attackers. Educational facilities often lack the resources necessary to implement robust security systems, and these organizations require networks that prioritize easy accessibility,
Why Are Hospitals at Risk?
Hospitals are critical infrastructure organizations that store, share, and use large volumes of sensitive data. Healthcare facilities also depend on a variety of IoT devices and electronic records to provide patients with critical medical care. To cyberattackers, this combination represents a worthy prize fueled by a sense of urgency that warrants a large ransom that will be paid quickly. Yet, there's more to becoming a prime target than motive and pressure. A variety of recent events have created a perfect storm that makes hospitals an ideal target for catastrophic ransomware attacks.
The American Recovery and Reinvestment Act, passed by the Obama administration in 2009, included $19.2 billion for the implementation of electronic medical records (also called electronic health records or EHR) to be completed by January 1, 2014. Migrating patient records from paper to online systems vastly improved accessibility to patient health information and efficiency in the medical sector. However, it also increased vulnerability to attacks that can be extremely lucrative. With a focus on compliance and meeting regulations, cybersecurity has been largely neglected.
In 2020, the pandemic only fueled the fire. After going through a massive digital transformation in a very short period of time, the pandemic forced many providers to shift to telehealth. At the same time, hospitals were over capacity, and personnel teams were stretched thin. While businesses, healthcare facilities, and most individuals were unprepared for the pandemic, cyberattackers were lying in wait to exploit the situation with phishing attacks.
The Effects of Ransomware Attacks on Hospitals
Ransomware attacks on hospitals are a threat to life because they directly threaten a hospital's ability to provide patient care. In 2021, a lawsuit filed by the mother of a baby who died as a result of fatal brain damage during birth alleged the failure of electronic devices due to a cyberattack meant a doctor could not properly monitor the child's condition during delivery. While the lawsuit faults the hospital for not disclosing details of the attack, the cyberattack could have directly caused damages that led to the baby's death after months of intensive care. In other cases, ransomware attacks have led to delays in surgical procedures, and ambulances being diverted from the nearest emergency rooms.
A CISA report revealed that a ransomware attack on a hospital increases the stress on its capabilities in general and leads to higher mortality rates there. These potentially devastating consequences are likely one of the reasons hackers target hospitals. With the knowledge that lives are at stake, decision-makers are more likely to cave to ransom demands. In 2021, 61% of healthcare organizations that suffered a ransomware attack paid the ransom in an effort to speed recovery (the highest percentage in any sector).
Unfortunately, recovery from an attack can be slow, whether or not a ransom is paid. An attack on the University of Vermont Medical Center began with strange computer problems that prompted the discovery of a file with instructions to contact the perpetrators of the malware attack. The center locked down major chunks of the organizational network to prevent further damage. During the days following the attack, staff didn't even know which patients were scheduled for appointments, resulting in rescheduled surgeries and patients being forced to go elsewhere for radiation treatment. For nearly a month after the attack, employees couldn't use EHRs, payroll programs, and other vital digital tools. Although the center didn't pay a ransom, the attack cost an estimated $50 million, mostly from lost revenue.
How Do Ransomware Attacks on Hospitals Happen?
Most modern ransomware attacks are performed remotely. Hackers gain entry to a computer system, encrypt the files that run it, and then demand payment for a decryption key to unlock access. Some hackers deliberately target healthcare organizations in an effort to generate life-or-death urgency that is likely to rapidly yield a large ransom payment. Other attacks are massive phishing campaigns that effectively hook a staff member or contractor and introduce malware into the network (as was the case in the University of Vermont Medical Center attack). All it takes to fall victim to an attack is one employee falling for a fake email. In either case, the attack typically goes unnoticed until the damage is done. By the time a hospital receives a ransom request, it is too late to avoid the effects of an attack.
Although phishing emails are one of the most common attack methods, some hackers target vulnerabilities in large networks. These attacks are more likely to be effective on organizations with older servers and operating systems. As they often operate on strained budgets, it's common for healthcare organizations to have legacy equipment that is more vulnerable to attack.
What Can Be Done to Protect Against Ransomware Attacks?
According to a 2019 Gartner report, 90% of ransomware attacks are preventable. Yet, the prevalence of these attacks is growing. Effective cybersecurity requires preventative measures, plans of action for attacks in progress, and consistent business decisions that help organizations systematically avoid risks. Cyberattacks and the security required to defend against them are business strategies that must reach far beyond the IT department. Without proper education, non-IT staff members see cybersecurity as something that is readily available like air or water. Such an outlook makes an organization vulnerable to attack.
Ransomware attacks begin with a vulnerability in the network. Most often, these vulnerabilities exist due to human error or outdated technology. There are several steps that hospitals can take to decrease the likelihood of a successful attack.
- Strengthen network defenses. Strong firewalls and frequent updating of antivirus software are your hospital's first defense against attacks. A vulnerable system can quickly fall prey to an attack that would otherwise be successfully blocked and force attackers to move on to the next target.
- Educate employees. A single mistake often compromises an entire network. To avoid these incidents, employees need to understand the dangers, recognize signs of potential attacks, and take preventative measures during daily tasks. Creating regulations around accessing personal email from company devices and using email links and downloads can decrease the dangers of many phishing attempts.
- Implement multifactor authentication (MFA): Attacks that allow hackers to advance permissions and gain administrative status within a network are increasingly common and give attackers more power to effectively encrypt systems. MFA requires a user to present a combination of two or more credentials to verify a user's identity for login. This can prevent a successful attack if a single user credential becomes compromised.
- Create a backup system to restore infected accounts. In October 2020, CISA released a warning about the increase in ransomware attacks against healthcare organizations. The document included recommendations for a 3-2-1 backup approach to protect data to restore systems in the event of an attack.
- Develop a segmented network: By dividing a network into sections, organizations can limit the spread of an attack and limit the costs of repair and restoration. When a ransomware attack is detected in a segmented network, the organization can quarantine a single segment without shutting down an entire network. Under these circumstances, a large portion of a hospital's network could continue to operate, unaffected by an attack.
|Related Reading: Ransomware TTPs: Our Best Tips for Detection and Response|
Investing in a Robust Cybersecurity Solution to Prevent Ransomware Attacks
Ransomware attacks on hospitals are more likely to pay off than in many other industries. Attackers recognize the urgency created by limiting access to life-saving equipment and efficient operations within hospitals. As such, they can demand high ransoms and quick payments. Although federal agencies and cybersecurity professionals advise against paying ransoms, healthcare leaders often feel they have no choice. Unfortunately, this response can backfire. Up to 80% of companies who pay a ransom have been hacked again afterward—often by the same channels.
Hospitals are in the business of providing life-saving care to the patients who depend on them. Executives and staff members in these organizations typically face busy schedules and have limited resources to implement effective cybersecurity. Yet, failing to invest in high-quality cybersecurity measures can limit patient care and potentially lead to loss of life.
Addressing the complex cybersecurity needs of hospitals while maintaining efficient processes for accessing patient data is challenging. BitLyft can help. BitLyft provides unparalleled protection for organizations of all sizes by delivering the best of people and software to remediate cyber threats in minutes. Request a demo to learn more about how you can prepare your healthcare organization to battle ransomware attacks that continue to increase in number and sophistication.