Healthcare organizations face rising ransomware attacks – and are paying up
Via their insurance companies, natch
Healthcare organizations, already an attractive target for ransomware given the highly sensitive data they hold, saw such attacks almost double between 2020 and 2021, according to a survey released this week by Sophos.
The outfit's team also found that while polled healthcare orgs are quite likely to pay ransoms, they rarely get all of their data returned if they do so. In addition, 78 percent of organizations are signing up for cyber insurance in hopes of reducing their financial risks, and 97 percent of the time the insurance company paid some or all of the ransomware-related costs.
However, while insurance companies pay out in almost every case and are fueling an improvement in cyber defenses, healthcare organizations – as with other industries – are finding it increasingly difficult to get insured in the first place.
"The ransomware challenge facing organizations continues to grow," the Sophos researchers wrote in the report.
"The proportion of healthcare organizations directly impacted by ransomware has almost doubled in 12 months. In the face of this near-normalization, healthcare organizations have gotten better at dealing with the aftermath of an attack: virtually everyone now gets some encrypted data back and nearly three quarters are able to use backups to restore data."
In addition, the increasingly tight cyber-insurance space "has driven almost all healthcare organizations to make changes to their cyber defenses to improve their cyber insurance position," they wrote.
Sophos interviewed 5,600 IT professionals from around the world, 381 of which were in healthcare. The picture painted is of a healthcare industry under growing attack by increasingly sophisticated ransomware, with organizations more likely to pay the ransom – the ransoms paid on average were the lowest compared with other sectors – while also improving their defenses.
"Healthcare enterprises have traditionally been behind other sectors that are heavily dependent on IT technologies," Garret Grajek, CEO of security vendor YouAttest, told The Register in an email.
Meanwhile, the insurance and finance industries are also being targeted. "The attackers target them because they have less-developed security controls and are dependent on IT services for their business model."
The good news is that healthcare organizations are aware that they are under attack. The majority of them have cyber insurance and are improving their security practices, Grajek said, adding that "the chickens are on alert that the fox is circling the hen house."
And the problem's only getting worse
Sophos's report comes the same week that FBI Director Christopher Wray, in a speech at Boston College, said the US agency was able to thwart an attempted ransomware attack on Boston Children's Hospital a year ago before it was able to do any damage. Wray said Iranian government-supported threat actors tried to hack into the hospital's network and used the incident – which he called "one of the most despicable cyberattacks I've ever seen" – to highlight the continuing cyber threats posed by governments from such countries as Iran, China, Russia and North Korea.
It's also the same week that cybersecurity firm Zscaler released its 2022 ThreatLabz Ransomware report, which found that the healthcare industry saw a 650 percent year-over-year increase in ransomware attacks – the largest growth of any industry.
John Gunn, CEO of authentication security vendor Token, told The Register in an email he isn't surprised to see healthcare as a top target of ransomware attacks.
"This segment is the most regulated, has the greatest revenue and profits, and the most to lose if they don't pay the ransomware demand, all things that make them the most attractive target for hackers," Gunn argued. "What is surprising is that more companies are not upgrading their access control with better authentication. The front door is still where the majority of hackers enter and it is the easiest to protect."
- What if ransomware evolved to hit IoT in the enterprise?
- Ransomware attack sends US county back to 1977
- Ransomware encrypts files, demands three good deeds to restore data
- Verizon: Ransomware sees biggest jump in five years
Sophos believes 66 percent of healthcare organizations were hit by ransomware in 2021 – up from 34 percent the year before, representing a 94 percent increase. The researchers wrote that the rise demonstrates "that adversaries have become considerably more capable at executing the most significant attacks at scale. This likely also reflects the growing success of the ransomware-as-a-service model, which significantly extends the reach of ransomware by reducing the skill level required to create and deploy an attack."
The rate at which the data was encrypted improved from 65 percent in 2020 to 61 percent last year, perhaps indicating healthcare organizations are getting better at stopping data encryption during an attack (the global average remains at 65 percent). The percentage of healthcare companies with extortion-only attacks – public exposure of the data being the driver behind the ransom demand, not encryption – fell from seven percent to four percent.
Healthcare organizations also are getting better at recovering from an attack, with 99 percent last year getting some encrypted data restored, up from 93 percent in 2020. The industry proved particularly adept at using multiple approaches to restoring their data, including backing up the data (72 percent) and paying the ransom (61 percent, up from 34 percent in 2020), as well as 33 percent who said they used other means.
Paying the ransom – always dicey and frowned upon by lawmakers and cybersecurity vendors – is no guarantee that all the data will be decrypted. The average ransom was a relatively low $197,000, but those who paid were only able to recover 65 percent of their data last year and only two percent got all of their data back.
The increase in ransomware attacks is part of a broader threat environment that is hitting healthcare more than any other sector, the researchers wrote. It saw the highest jump in the number of cyber attacks (69 percent) and the complexity of the attacks (67 percent), according to Sophos.
Rajiv Pimplaskar, CEO of virtual network company Dispersive Holdings, told The Register in an email that the healthcare sector has been the industry most impacted by data security breaches.
"As ransomware incidents are tightly correlated, this is a special cause for alarm for healthcare leaders and CISOs," Pimplaskar said. "Exacerbating the problem is the proliferation of medical IoT devices that are proving invaluable for patient care and yet can pose unforeseen vulnerabilities and attack vectors." ®