- More than a third of healthcare organizations were hit by a ransomware attack in 2020 and of those, 65% said the cybercriminals were successful in encrypting their data, a report from cybersecurity company Sophos found.
- The report also found that roughly a third of organizations that had data stolen paid the ransom to recover their information, but on average only 69% of the encrypted data was restored after the ransom was paid.
- The average bill to recover after a ransomware attack was almost $1.3 million, which is among the lowest sum of all industries surveyed in the report.
Ransomware is a type of malware that encrypts a victim's files, rendering them inaccessible to their owner, unless a ransom is paid to decrypt them.
Sophos commissioned independent research company Vanson Bourne to survey 5,400 IT decisionmakers across a range of industries worldwide, including more than 300 small and mid-size organizations from healthcare, early this year.
The report found ransomware was relatively prevalent in the healthcare sector, with 34% of organizations hit by such an attack in the past year. Of those not hit, 41% said they expected an attack in the future, while just 24% said they felt safe from future attacks.
Healthcare actually fared relatively well compared to other sectors. The global average for organizations attacked was 37%, with the retail and education industries experiencing the highest number of ransomware attacks at 44%.
"With healthcare often making headlines for ransomware attacks, it's perhaps a welcome surprise that this sector experiences below average numbers of attacks," the report said. "Their over-representation in the news reports is likely due to healthcare organizations' obligations to make public an attack, where many commercial organizations are able to keep the bad news private."
But despite the lower prevalence of attacks, healthcare is less able to stop ransomware than other sectors, Sophos found. Attackers' success rate in encrypting healthcare data was 65%, compared to the global average of 54%, likely due to the financial and resource challenges in health IT. The teams are commonly understaffed, and have been especially stressed during the coronavirus pandemic.
Additionally, healthcare organizations are among the most likely to pay a ransom to recover their data, likely worried about continuity of care for their patients and a lack of back-ups. Some 34% of respondents whose data was encrypted said they paid to get it back, compared to a cross-sector average of 32%.
However, paying a ransom is no certainty that data will be recovered — one reason why giving into demands for ransom is highly discouraged by the federal government and cybersecurity experts. Organizations that shelled out the ransom on average received just 65% of their data, while another third was left unaccessible.
The average healthcare ransom payment was roughly $131,000, lower than the global average. Healthcare also had the lowest overall cost to recover from a ransomware attack than any other industry, at $1.27 million for issues like downtime, hours lost, device and network cost, ransom and so on. By comparison, the cross-sector average is $1.85 million.
Though healthcare seems to be doing relatively well compared to other industries when it comes to ransomware attacks specifically, the industry faces a number of unique challenges stemming from its outdated infrastructure, including underfunded IT departments and legacy medical devices with little-to-no cybersecurity features. Fewer than half of healthcare organizations met national cybersecurity standards in 2019, even as cyberattacks grow in complexity.
The percentage of organizations across all sectors hit by ransomware in 2020 dropped from 2019, Sophos found. That's a good sign, but may indicate attacker behavior is evolving to smaller-scale, more targeted attacks, which have higher potential for damage.
As a result, the report called on healthcare companies to invest more heavily in cybersecurity moving forward.