Ransomware Attacks Against Healthcare Providers Are on the Rise

By Kevin Casey, JD, CIPP/US, Assistant Vice President Claims, TDC Specialty Underwriters

On October 28, 2020, the FBI, Department of Homeland Security, and Cybersecurity & Infrastructure Security Agency issued a rare warning: There was an imminent ransomware threat to hospitals and healthcare providers throughout the United States. Analysts warned that there was credible information to suggest that cybercriminals were planning a Ryuk ransomware attack targeting over 400 healthcare entities. While the large-scale attack did not come to fruition, at least six hospitals reported ransomware attacks between October 24 and October 29. The scale and sophistication of these incidents was almost unheard-of—until recently. 

A ransomware attack compromises a business’s computer network. The attacker then encrypts data on the network, and the encrypted data is unusable and unrecoverable until the victim pays a ransom to get the decryption key.

The ransomware landscape has changed drastically over the past two years, and healthcare providers should be concerned. The sophisticated attacks have driven the average ransom payment from less than $5,000 in 2018 to over $233,000 in 2020. The drastic rise in ransom payments is coupled with an equally drastic rise in attacks. While outcomes vary, an unprepared victim could face weeks of business interruption, a ransom payment, corrupted or unrecoverable data, regulatory investigations (including fines and penalties), loss of reputation, and civil litigation. When healthcare providers are the victim of an attack, they not only have to respond to the incident itself but must do so while complying with the applicable state and federal data privacy laws.

Prior to 2018, a ransomware attack was problematic, but rarely was it catastrophic. Victims were often able to restore from backups, or the attack failed to encrypt the entire computer network. Impacted organizations were able to continue operating while they addressed the attack. But no longer. Ransomware has evolved, and the encryption itself is often the last piece of a sophisticated and pervasive attack on a computer network. To leverage settlement payments and make the attack more effective, the attackers will often target backups and either delete them prior to launching the ransomware or encrypt them so that they are unusable.

The proliferation of simple-to-use “ransomware-as-a-service” kits is partially to blame for the rise in attacks. Less technically skilled attackers are provided with free and easy-to-use tools and agree to share a portion of the ransom payment with the ransomware developer. As a result, anyone who wishes to engage in these types of attacks can utilize tools that were previously reserved for a select group of attackers.

These trends are of particular concern to the healthcare industry, as it is one of the most targeted sectors by cybercriminals. Small to midsized healthcare entities are inviting targets, because they often lack the cybersecurity sophistication to respond to attacks and are known to store, transmit, and process monetizable data. In 2020 through October, healthcare entities reported 439 data breaches large enough to affect 500-plus people to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Over 70 percent of these reported data breaches involve hacking.

More attacks and increased ransom payments are not the only troubling developments. Beginning in 2020, cybercriminals began exfiltrating protected health information (PHI) and personally identifiable information and threatening to publicly release it if a ransom was not paid—a technique known as doxing. As a result, even entities that had viable backups have been forced to consider paying ransoms to stop the public disclosure of sensitive information. This new tactic of data exfiltration is found in 50 percent of recent ransomware attacks.

Doxing is also a particular concern for the healthcare industry. According to HHS, the encryption of PHI by ransomware per se constitutes an unauthorized disclosure of PHI, triggering the Breach Notification Rule. Covered entities can perform a forensic investigation to disprove that there was the unauthorized access or acquisition of PHI and, therefore, avoid a data breach notification. However, even if a ransom is paid, the exfiltration of data is itself a data breach that requires notification to affected individuals and regulators.

The ransomware threat is not entirely unavoidable. Unsecured remote desktop protocol (RDP) is the most common attack vector and is responsible for over 50 percent of all ransomware attacks. Securing RDP is an easy and effective way to significantly reduce the risk of ransomware.

Other prevention strategies include:

  • Provide security awareness for all employees. Train staff members to avoid downloading potentially harmful files, clicking on suspicious links, or running unknown USB drives on computer systems.
  • Block the malware at the firewall by using intelligent firewalls to stop the malware from downloading.
  • Install intrusion detection software to monitor illegal activities on computer networks.
  • Stop the malware from executing on desktop computers by installing application whitelisting, anti-virus, or anti-malware software.
  • Perform regular system backups.
    • Ensure that critical systems and business data are backed up—as often as hourly for critical systems.
    • Test that the backup/restore process works.
  • Avoid relying solely on encryption. Encryption does not protect a business from a ransomware attack. If a cybercriminal has your login, encryption doesn’t do anything to stop the hacker. 
  • Perform penetration testing on a regular basis to determine any existing vulnerabilities that should be patched.

Ransomware is an ever-increasing and sophisticated threat that all entities face, but few industries are targeted more often than healthcare. Healthcare entities need to be aware of the threats they face and take proactive steps to prepare for these attacks.

TDC Specialty Underwriters is part of the TDC Group of companies, which includes The Doctors Company, Healthcare Risk Advisors, and Medical Advantage.

The guidelines suggested here are not rules, do not constitute legal advice, and do not ensure a successful outcome. The ultimate decision regarding the appropriateness of any treatment must be made by each healthcare provider considering the circumstances of the individual situation and in accordance with the laws of the jurisdiction in which the care is rendered.