Ransomware attacks against the healthcare sector have spiked in recent years as cybercriminals launch sophisticated assaults against hospitals — posing a serious threat to operations and patient safety.
Ransomware, a type of malware that denies users access to their data until a ransom is paid, can have dire consequences for health systems, disrupting care delivery, shutting down electronic health records, canceling scheduled appointments or procedures and forcing ambulances to travel to other facilities. Some research has shown ransomware attacks — and other cyberattacks — could increase patient mortality rates.
Those high stakes make the sector a more attractive target for cybercriminals, said Phyllis Lee, vice president of security best practices content development at the Center for Internet Security.
Though the FBI advises against following ransom demands, providers could be motivated to pay up when patient care is disrupted.
“What you have is a victim that’s willing to do whatever they need to do to help their customers, which are patients,” Lee said. “So I think that’s why they’re an easy victim, in some sense.”
The sector has already seen major ransomware attacks this year. An attack on UnitedHealth’s claims processing unit Change Healthcare disrupted normal operations across the industry for weeks, while large nonprofit health system Ascension needed more than a month to fully restore its EHR.
Over the past five years, the HHS tracked a 264% increase in large data breaches reported to the Office for Civil Rights involving ransomware.
A shortage of cybersecurity professionals, an increasingly connected healthcare environment and business models that facilitate more ransomware attacks have made the sector more vulnerable, experts told Healthcare Dive.
But hospitals that implement key cyber protections, know their technology environments and plan ahead for attacks could be in a better position to thwart cybercriminals.
More connected devices, not enough resources
Hospitals operate in an increasingly internet-connected environment, creating more opportunities for attacks, experts say.
Facilities have ramped up adoption of connected technology over the past several years, and not just with typical IT or medical devices, according to John Riggi, national advisor for cybersecurity and risk at the American Hospital Association. Other key operations, like heating and cooling systems or elevators, could also be connected to the internet.
Connected tech creates plenty of business and clinical efficiencies, but hospitals need to update and patch all these devices to prevent hackers from exploiting these vulnerabilities, he added.
Updating devices, however, isn’t always easy for hospitals, which could require taking them offline. While vendors can update consumer products in days or weeks, it might take up to a year to deploy a patch at scale in the healthcare sector, according to the HHS’ Advanced Research Projects Agency for Health.
“You can’t just unplug it and plug it into the new socket,” said T.J. Ramsey, senior director of threat assessment operations at cybersecurity firm Fortified Health Security. “It’s a major coordination. It becomes a major project.”
Coordinating cybersecurity measures takes resources — funds, technology downtime and staff — which may be scarce in hospitals. Many facilities, especially small ones, operate on slim margins, pushing them to choose between cybersecurity and other investments, including purchases that might more directly impact patient care, Ramsey said.
Cybersecurity personnel may also be hard for hospitals to find, said Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center, or Health-ISAC. Cybersecurity professionals are in short supply across the globe, and health systems are competing with other sectors for talent, including ones that might be able to pay workers more.
“We're not training enough people, we’re not graduating enough people through college courses in cybersecurity,” Weiss said. “And the number of jobs that we need them in is ever increasing.”
Ransomware-as-a-service and state actors
Cybercriminals could benefit from permissive nation states and business models that allow them to launch attacks without significant technical skills.
Ransomware-as-a-service is a business model where developers build ransomware tools and lease them to other cybercriminals.
The model allows more people to conduct attacks at a relatively low cost, even if they don’t have the knowledge to build out their own ransomware kits, Lee said. Some might even include tech support, forums and user reviews, according to cybersecurity firm CrowdStrike.
“You don’t need to be a cybersecurity expert in order to execute a ransomware attack anymore,” she said. “It’s lowered the barrier to entry of being a cybercriminal.”
Some ransomware groups are thriving with the support of nation states, with many groups operating from Russia or its allied nations, Riggi said.
Global politics can be a motivator for attacks, and some might be supported by the Russian government. But even if they aren’t, Russia won’t cooperate with U.S. law enforcement to shut ransomware groups down, he said. Cybercrime groups in North Korea and China also target the healthcare and public health sector, according to the federal government.
“They create a permissive operating environment for them,” Riggi said. “They provide safe harbor for these groups, as long as they attack the West and as long as they don’t attack Russia, then they’re provided safe harbor.”
How hospitals can protect themselves
Cyber protections such as multi-factor authentication and anti-phishing training for employees are critical to protecting hospitals, according to Lee. Multi-factor authentication uses a second method to verify a user’s identity, and anti-phishing protections help to guard against tactics where a cybercriminal poses as a trusted individual to gain access to sensitive information.
Health systems also need to know their technology environments, she added. What technology assets do they have, and who has access to them? What software is running on those devices? Is that software patched and up-to-date?
That can be one of the largest challenges for organizations, particularly when workers take home laptops or tablets or they have a network of temporary employees like travel nurses, she said.
External employees, like those who log in remotely or access their email outside the hospital, should come first when starting a new cybersecurity project, like implementing multi-factor authentication, Ramsey said. Nurses and doctors swiping their badges inside health system’s facilities can be a secondary priority.
But if attackers are able to break through a hospital’s defenses, having comprehensive backups — and a strategy for using them — is key to a speedy recovery. Health systems should plan ahead and consider how fast they can recover data and to which point in time, as well as how much information they’d be willing to lose.
Hospitals should also determine which workstations are critical, as some databases might need more frequent backups if they house key systems like patient records, he said.
“The best way to be prepared for it is to actively talk about it,” Ramsey said. “If you are truly concerned around how you will be impacted by ransomware, then you should be actively talking about it, you should be encouraging your team to do tabletop exercises, you should be willing to have uncomfortable conversations.”