In January 2023, the Justice Department announced that, in cooperation with the German government, it had finally seized the servers and websites that a notorious ransomware gang known as Hive used to attack victims around the world, including multiple hospital systems. Hive has successfully extorted more than $100 million dollars in ransom payments from over 1,500 victims, including a hospital that was unable to accept new patients and had to resort to analog methods. The Justice Department’s successful dismantling of Hive marked a major stride toward reducing cybercrime in US hospitals, but the battle is far from over.
Ransomware attacks impacted 290 hospitals in the US in 2022, showing that persistent ransomware gangs are unwilling to abandon their dangerous and unethical efforts. The healthcare system has long been a target of ransomware attacks because of the high volume of sensitive data that hospitals, clinics, and private practices store digitally. To protect their patients, prevent operational disruptions, and save lives, it’s vital for healthcare leaders to understand the full extent of the problem and how to best prevent an attack.
Why Do Ransomware Gangs Target Hospitals?
In the early days of COVID-19, hackers seemed to pause their attacks on hospitals while the world dealt with a health crisis and an overburdened healthcare system. Unfortunately, it didn’t last. Even as the healthcare industry attempted to cope with the pandemic, cyberattacks on hospitals rapidly increased in both number and complexity.
Cybercriminals using ransomware are playing a numbers game. The more computer systems they can infect, the more likely it is that someone will pay the ransom. For hospitals, data loss is high stakes because it can put lives at risk. Thus, hackers know that medical providers are often more willing to pay large ransoms to restore their critical data. They also know that healthcare organizations tend to have more IT vulnerabilities.
Hospital executives are well aware that they’re under siege. In a 2020 interview with WWNY-TV, Richard Duvall, CEO of NY state’s Claxton-Hepburn Medical Center, said, “One thing that I think healthcare has realized, it’s not about ‘if,’ it’s about ‘when.’” Duvall’s statement certainly seems to have been borne out by the ransomware activity in subsequent years. Sophos’ “The State of Ransomware in Healthcare 2022” report revealed that of the 381 healthcare respondents surveyed in early 2022, 66% had experienced a ransomware attack within the past 12 months.
How Does Ransomware Get into Hospital Computer Systems?
Hospitals and other organizations most often fall victim to ransomware and other cyberattacks because of human error, such as when someone clicks on a malicious link or attachment in a phishing email or spam message. According to Verizon’s “2022 Data Breach Investigations Report,” 82% of data breaches involve the human element, including errors, misuse, and social attacks. Let’s break down how these and other vulnerabilities are exploited by cybercriminals.
Phishing and Social Engineering
Phishing and social engineering schemes often expose user credentials, giving cybercriminals access to computer networks. Once inside the hospital’s system, hackers load malware that can surreptitiously operate and send copies of the data. They then encrypt data so that healthcare providers can no longer use it without a special key that only the hackers can provide. Cybercriminals hold the data hostage unless you pay the ransom to get the decryption key—though paying the ransom doesn’t guarantee you’ll actually get what you need. The favored method of payment is Bitcoin, which is notoriously difficult to track.
Weak Passwords
Email isn’t the only way hospital systems are vulnerable, however. Despite the existence of the Health Insurance Portability and Accountability Act (HIPAA) and detailed HIPAA and internal compliance regulations for safeguarding information, the healthcare industry is well-known for having weak passwords and lacking security protocols. Hacking tools that can conduct brute-force password attacks and gain unauthorized access to vulnerable systems are freely available on the dark web.
Unapplied Patches
When new patches are released, healthcare organizations often fail to promptly install them on operating systems and software. Recent research found that approximately 30% of healthcare organizations are at heightened risk for ransomware because of the extended periods of time between patches. This is especially troubling because these kinds of breaches are preventable.
So-called zero-day exploits take advantage of lax security to attack flaws in software. In many cases, cybercriminals can use these flaws to gain access even months after a fix has been released because organizations failed to apply it. Zero-day exploits are widely available on the dark web and even sold out in the open by foreign actors. Not only can you lose or expose sensitive patient and employee data in such an attack, but you could also be held liable for failing to follow proper security protocols that might have prevented the breach.
Connected Devices
Today’s advanced medical devices are increasingly connected. This makes the collection, transfer, and monitoring of data easier, but it also creates additional attack vectors for cybercriminals. While the network provides some protection, many individual healthcare devices are vulnerable to infiltration.
Outdated Systems
Even with the movement to create electronic records, many healthcare groups have been slow to upgrade their backup systems to minimize data loss. In a cyberattack, they are left unable to recover data that’s been encrypted by ransomware.
How Does Ransomware Affect Hospitals?
While encrypting data can kill a business’s productivity and rack up financial losses, it’s even more serious for hospitals and healthcare providers. The expense of lost revenue and downtime is a major obstacle, but it pales in comparison to the potential harm and loss of life that can occur when hospitals experience operational disruptions.
Impediments to Patient Care
If healthcare providers can’t access the electronic health records they need, it might compromise patient care. Ransomware can lock up patient histories, treatment plans, and identifiable information needed to treat and bill patients. In many cases, hospitals are forced to revert to paper record-keeping and turn away patients (even for emergencies) until the attack is resolved. This may lead to poorer patient outcomes, complications, and even fatalities. According to a 2021 study from the Ponemon Institute and Proofpoint, a quarter of surveyed healthcare facilities experienced increased mortality rates after a ransomware attack. Such was the case for Teiranni Kidd, whose newborn baby allegedly died during delivery at Springhill Medical Center because a ransomware attack had made the facility’s fetal monitors unusable.
Dangerous Errors
Patient records aren’t the only things affected during a ransomware attack. When an incident occurs, many healthcare providers have to shut down their electronic systems to prevent further damage. This renders essential digital tools temporarily inaccessible, with sometimes disastrous results. Consider the example of Kelley Parsi, who took her son to a hospital in Des Moines, Iowa because he was experiencing pain and dehydration following a tonsil removal surgery. Unbeknownst to Kelley, a recent ransomware attack had affected a digital tool that doctors and nurses in the facility used to calculate medicine doses. As a result, the doctor mistakenly gave her son five times the prescribed dose of medication. Although the boy ultimately recovered, this terrifying event demonstrates the very real dangers that ransomware presents to patients.
Financial Losses
In addition to the problems caused by data loss or the inability to access patient records, ransomware attacks have a significant toll on a healthcare organization’s bottom line. For a healthcare facility like a large hospital, a few hours of downtime can cost millions of dollars. Take a look at these sobering statistics:
- In October 2020, the University of Vermont (UVM) Medical Center experienced a ransomware attack that ultimately cost around $50 million in lost revenue and recovery.
- Large healthcare systems have the potential to lose between $1 million and $2 million per day due to business disruptions.
- According to IBM, the average total cost of a data breach in the healthcare industry is $10.10 million, which is far higher than all other industries.
Although most hospitals have substantial funds to recover from a ransomware attack, many rural facilities are struggling to cope. Several witnesses testifying before the Senate Homeland Security and Governmental Affairs Committee argued that rural hospitals need more support and resources to combat ransomware gangs, who have become increasingly focused on smaller and more vulnerable healthcare organizations.
Lawsuits
Along with lost revenue and recovery costs, many healthcare organizations that emerge from ransomware attacks then face expensive lawsuits by patients whose data was compromised. A study conducted by the University of Minnesota Public Health found that the private health information of almost 42 million patients was exposed during ransomware attacks that occurred in the United States between 2016 and 2021. While not every patient files a lawsuit, those who do often seek substantial damages due to the violation of their privacy. One recent example is a cancer patient whose nude photos were posted online in response to Lehigh Valley Health Network’s (LVHN) refusal to pay the ransom demanded during a February 2023 attack. The patient has filed a suit accusing LVHN of negligence that resulted in significant harm.
Which Hospitals Have Been Targeted Already?
Between the COVID-19 pandemic, widespread nursing shortages, and cyberattacks, the healthcare landscape has looked especially bleak over the past several years. Ransomware exacerbates existing problems and creates new ones, placing healthcare organizations under immense pressure to recover as quickly as possible. For some facilities, recovery occurs within a matter of days. For others, it may take weeks or months. Without a robust business continuity and disaster recovery plan in place, healthcare providers have to scramble to inspect, clean, restore, and test systems before bringing them back online. In many ransomware cases, the data is never recovered, causing irreparable harm and opening organizations up to serious criticism.
The hospitals below recently experienced their own ransomware nightmares and dealt with the overwhelming consequences:
- CommonSpirit Health: The October 2022 ransomware attack on CommonSpirit Health resulted in a month-long outage that cost the system more than $150 million as of February 2023. CommonSpirit has been served with multiple class action lawsuits related to the attack.
- One Brooklyn Health: In November 2022, a network of three hospitals in Brooklyn, New York lost access to clinical applications due to a cyberattack. Healthcare providers had to work off paper charts for several weeks until all systems were restored.
- Tallahassee Memorial Healthcare: The “IT security issue” that Tallahassee Memorial Healthcare experienced in February 2023 required employees to switch to paper documentation, resulted in diverting emergency patients to other hospitals, and caused cancelations of non-emergency surgical and outpatient procedures. Although experts suspect that the attack was ransomware, administrators have yet to confirm the exact nature of the incident.
- Lehigh Valley Health Network (LVHN): Elsewhere in the same month, LVHN experienced a ransomware attack that many believe was the work of BlackCat, a ransomware gang with connections to Russia. The cyber attackers breached a healthcare provider’s software system and accessed patient records, ultimately posting photos of cancer patients to the dark web when LVHN refused to pay the ransom demand.
All of these attacks occurred in the US over the span of only six months, underscoring the need for greater vigilance and prevention steps by every member of healthcare leadership.
Should Hospitals Pay the Ransom?
Some hospitals do pay the ransom in a last-ditch effort to recover data when no other options are viable, but it’s a big gamble. If you send the demanded Bitcoin off to an unnamed individual with no way of tracking the payment, you may or may not ever get a decryption key to get the data back.
One of the strategies implemented by the Justice Department in the attempt to take down the Hive ransomware gang is providing decryption keys to victims so that they can avoid making ransom payments. According to their official statement, the FBI provided more than 300 decryption keys to victims during active ransomware attacks, as well as 1,000 keys to previous victims. Unfortunately, with so many current and emerging ransomware gangs on the horizon, it’s impossible for the government to obtain and distribute keys to all healthcare organizations affected by ransomware.
In the event that you do find yourself facing a ransom demand, the FBI strongly discourages paying. Even if you are lucky enough to receive the decryption key and restore your data, doing so only encourages cybercriminals to continue their efforts. Money raised in ransomware attacks is also used to fuel other criminal enterprises. For instance, according to government agencies in the US and South Korea, the North Korean government is using cryptocurrencies from successful ransomware attacks on hospitals to fund espionage operations.
How Can Hospitals Protect Themselves from Ransomware?
System administrators should be actively monitoring network traffic for any unusual activity. Since many ransomware threats start as email phishing attempts, employee education should commence immediately. The FBI, CISA, and HHS also recommend taking immediate steps to back up and secure any sensitive or proprietary data.
While immediate action is needed now amid this cyber threat, the FBI, CISA, and HHS say that healthcare agencies should also routinely follow these steps to mitigate potential damage:
- Back up data, air gap, and password-protect offline backup copies
- Implement a disaster recovery and business continuity plan that includes the maintenance and retention of multiple copies of sensitive data and servers in secure, offsite locations
- Provide training and education programs to employees and stakeholders
- Lay out specific response measures for employees who notice suspicious activity
While the government’s recommendations are wide-ranging, it’s clear that the most important feature is a robust data backup system. A reliable, reputable backup solution is the single best defense against potential infections because it allows businesses to roll back to clean data, eliminating the infection and removing the question of paying a ransom. Data backups take the power away from bad actors by nullifying their leverage, allowing healthcare facilities to restore their data and resume normal operations more quickly.
Learn More About Protecting Your Healthcare Organization from Ransomware
Cybercrime in US hospitals and other healthcare facilities is a threat not only to long-term financial viability but also to patient privacy and health. Rather than waiting for an attack to occur, healthcare administrators should be proactive and seek out prevention and recovery strategies that will minimize the economic damages and care disruptions that are so often associated with ransomware incidents. Regularly patching operating systems and software, offering comprehensive employee training, developing a thorough disaster recovery and business continuity plan, and employing a high-quality data backup system are all essential steps to protecting your facility.
If you want to learn more about protecting your healthcare organization from a ransomware attack, reach out to the team at Invenio IT. The business continuity and data recovery experts at Invenio IT can offer guidance on the process of disaster planning, conduct data recovery if you’ve already experienced an attack, and walk you through a demo of the best data backup solutions on the market.
