The past year and a half has been challenging for businesses across industries and countries, but none bore the brunt of it more than healthcare. Doctors and nurses working around the clock, day after day, on the frontlines in a battle against a new pandemic.
But while hospitals have been in a race to save thousands of patients, cyber attackers and particularly ransomware gangs saw opportunity. This year, as the Delta variant led to a resurgence of cases, ransomware attackers haven't let up, attacking hospitals and health systems worldwide, most recently striking a health system in Ohio.
These aren't just cherry-picked headlines. A recent independent survey that looked into the impacts of ransomware across specific industries worldwide found that more than one-third (34%) of healthcare organizations have been attacked by ransomware in the past year, with another 41% expecting to be victims themselves sometime in the future.
Furthermore, while 44% of these ransomware victims were able to restore their data through backups, 34% found themselves needing to pay the ransom – a path that ultimately led them to recovering, on average, only 69% of their encrypted data.
Can you imagine amid a pandemic, with scores of COVID-19 patients in ICU beds and in dire need of care, on top of all the other "typical" demands that hospitals face on a daily basis, a sudden cyber attack out of nowhere brings everything to a grinding halt and potentially results in the permanent loss of nearly one-third of patient data? Even after paying what the criminals demanded? That would be catastrophic – to the hospital, the doctors and nurses and especially to the patients.
Ransomware attacks don't occur in a vacuum either; you don't just pay the ransom and move on. In fact, accounting for all related expenses like downtime, people time, device costs, network costs and other lost opportunities, a single ransomware attack can cost a healthcare organization $1.27 million on average. This is a major blow on a normal day, and an even more crippling setback during a pandemic.
While COVID-19 was a uniquely destabilizing force in the healthcare industry – prompting hospitals and providers to quickly establish emergency facilities without being given the time or preparation needed to set up secure IT infrastructures around them – the healthcare sector has unfortunately proven to be a ripe target for ransomware attacks.
Unfortunately, ransomware in healthcare is here to stay. Here are five measures the industry can take to mitigate their chances of being attacked, and, in the event they are hit, lessen the blow of such an attack.
- Back up your data. While 34% of healthcare ransomware victims had to pay ransoms to have their data returned, 44% of healthcare organizations were able to restore their data themselves using backups. The surest way to not be at the mercy of a cyber attacker's ransom, and defeating the threat of ransomware outright, is to ensure you've backed up your data ahead of time – off-network and ideally even in a different physical location. Consider the "3-2-1" rule as a guide to follow: three copies of your data, using two different backup systems, with at least one copy stored offline and off-site.
- Identify your network's vulnerabilities and deploy layered protection. It only takes a couple hours for a ransomware group to jump from a phishing email to probing your entire network. Give them a day and they'll have likely already deployed their malware. The best way to get ahead of this is to take a full inventory of your network's vulnerabilities and address them accordingly. Remote Desktop Protocol-enabled servers, unpatched web servers and user logins that aren't set up with multi factor authentication are all good starting points for this effort. This task should also be paired with deploying layered protection across your network's weak points, to deny entry to attackers as much as possible.
- Employee awareness. Especially now, but even in the best days, doctors, nurses and administrators are crunched for time and basic IT security measures may not be their priority in the moment. That's understandable, but also something that cyber attackers and ransomware gangs depend on. Hospitals don't need to transform their entire staffs into IT experts, but it's more critical than ever that everyone in the organization has completed some basic IT hygiene steps: stronger passwords (made stronger by two-factor and multi factor authentication), knowing how to spot phishing emails and who to notify in the event of one.
- Complement anti-ransomware software with human-led threat hunters. Automated endpoint detection and response software is a great tool for shoring up defenses, but can only do so much alone. That technology must be paired with human-led, expert threat hunting teams who can recognize the telltale signs of an attack that may go unnoticed by an automated solution.
- Accept that you will be attacked. And then prepare accordingly with a malware recovery plan. Doing so saves a lot of unnecessary time, money and pain that a ransomware attack can inflict. Luckily 89% of healthcare organizations already have such a plan in place. Now it's time for the remaining 11% to get on the same page
About Dan Schiappa
Dan Schiappa is the chief product officer at next-generation cybersecurity leader Sophos. He's a transformational and strategic leader who orchestrates the company's technical strategy, playing an instrumental role in architecting technologies; overseeing product management and research and development; and ensuring product quality. With a passion for education and inspiring the next generation of cyber talent, Dan also serves as chair of the University of Central Florida's Dean's Advisory Board, where he oversees various aspects of the school's elite cybersecurity program.