After a lull, ransomware attacks on hospitals are rising again

Earlier this year, cybersecurity experts noted a slight dip in ransomware attacks aimed at health systems, but they also cautioned that the decline may be short-lived.

John Riggi, national advisor for cybersecurity and risk for the American Hospital Association (Photo: AHA)

It appears the lull was indeed only temporary.

In recent weeks, more ransomware groups have launched attacks at health systems, and they have disrupted patient care, says John Riggi, national advisor for cybersecurity and risk for the American Hospital Association.

“I have seen, unfortunately, an increase in ransomware high impact ransomware attacks just in the past six weeks, and with multiple facilities being hit,” Riggi tells Chief Healthcare Executive®.

• Read more: Paying the ransom: A special report

In fact, it’s becoming clear that attacks aimed at hospitals and healthcare organizations are looking to be worse in 2023 than last year.

As of late June, more than 220 cyberattacks have targeted hospitals and health systems, and more than 36 million people have been affected, Riggi says. By comparison, 44 million were affected by hacking incidents in all of 2022.

It’s worth noting that Riggi is focusing solely on cyberattacks aimed by bad actors. The federal government also tracks other unauthorized health data disclosures, such as accidental breaches of information from digital tracking tools on hospital websites.

In the first six months of the year, the data breaches involving two firms - MCNA, a dental insurer, and PharMerica, a pharmacy services firm - affected more than 14 million people. One health system recently was hit with a ransomware attack that disrupted cancer treatment, Riggi says.

Steve Cagle, CEO of Clearwater, a cybersecurity firm, tells Chief Healthcare Executive that some recent attacks have impeded patient care. Hospital executives need to recognize the magnitude of a cyberattack’s disruption of patient services.

“We've seen so many ransomware attacks, even some in the last 60 days, at hospitals that have forced those hospitals to shut down their systems, canceled surgeries, ambulances diverted from emergency rooms, test results that are just not available,” he says.

A ransomware attack disrupted services at Richmond University Medical Center in New York in May.

(Steve Cagle of Clearwater talks about building a culture of cybersecurity in this video. The story continues below.)

• Read more: Here are the 10 biggest health data breaches in the first half of 2023

Emerging threats

A Russia-linked ransomware group, Clop, has claimed responsibility for attacks involving the healthcare industry. Riggi says Clop is “notoriously responsible for large data ransomware attacks recently.”

Some hospitals, including Community Health Systems, have been affected by Clop’s attack on Fortra, a cybersecurity firm that provides secure file transfer software. NationsBenefits Holdings, which provides supplemental benefits, was also affected by the Fortra breach.

Federal officials have also issued warnings about TimisoaraHackerTeam, or THT, a relatively unknown group that has targeted the healthcare industry. The U.S. Department of Health and Human Services issued a June 16 advisory warning, “When its ransomware is deployed, their rarely used and very effective technique of encrypting data in a targeted environment has paralyzed the health and public health (HPH) sector.”

The health department says the group attacked an unnamed U.S. cancer center in June 2023, and the attack “significantly reduced patient treatment capability, rendered digital services unavailable, and also threatened exposure of patient personal health information.”

Many cybercriminals are using Lockbit ransomware in their attacks. Operating as a “Ransomware-as-a-service” model, Lockbit allows other gangs and attackers to use their technology to infiltrate hospitals and other organizations. Federal officials issued an advisory in June urging health systems and other critical sectors to take steps to defend their systems against Lockbit ransomware attacks.

Riggi pointed to the growing sophistication of some ransomware gangs, including Clop, which exploited previously unknown vulnerabilities in file transfer systems.

In the past, hackers and cyberattackers have been leery of attacking hospitals, cybersecurity experts have said. But Riggi says some ransomware groups are showing no hesitation of going after health systems, even if they endanger patients.

“These are threat-to-life crimes,” Riggi says. “These are not data crimes. These are not white-collar crimes. And the adversaries have to understand, when we are diverting ambulances with stroke, heart attack and trauma patients, people's lives are at risk.”

Scripps Health suffered a costly cyberattack in 2021 that disrupted patient services. The attack also affected other hospitals as well, according to a study published by JAMA Network Open.

Stroke patients had to be transferred to other facilities, neighboring hospitals saw higher traffic in their emergency departments, and there was a sharp increase in the number of patients who left the emergency department without being seen.

• Read more: Ransomware attacks are hurting patients

‘Ransomware blast radius’

When hospitals pay a ransom demand in a cyberattack, Riggi says most leaders are doing so to protect the safety of patients. “If a decision is made to pay, it is based on patient safety issues,” Riggi says.

Federal authorities and the American Hospital Association strongly advise hospitals and health systems against paying the ransom.

Authorities say paying ransom demands only encourages criminals to engage in other attacks, and Riggi notes that the payments could be directed to support weapons programs in North Korea or Iran. Cybersecurity experts also say criminals aren’t known for keeping their word and may simply demand more money to return stolen data or restore systems.

More health systems are refusing to pay ransom demands, Riggi says.

“The starting point, the anchor point as they develop policies and procedures and preparedness is: We will not pay. I hear that more and more,” he says.

However, hospitals and health systems need to do everything possible to fortify their defenses to deter attacks. Hospitals also need to develop strong response plans if, and more likely when, they are attacked.

Hospital leaders need to establish cybersecurity as a high priority and a risk issue threatening patient safety, Riggi says. He suggests assigning a governance structure around the risk issue to finance mitigation and recovery efforts.

Riggi says the key is “imbuing this culture of cybersecurity within a healthcare organization, helping the staff first understand that cyber hygiene is as important as medical hygiene to protect the patients.”

Hospitals also need to work with other health systems in their area to develop regional response plans to a cyberattack. If one hospital is disrupted, other neighboring facilities are going to feel the strain and need to be prepared.

“It’s what I call ransomware blast radius,” Riggi says. “The original victim is hit, but there is a collateral effect throughout the entire healthcare region.”

Cyberattacks also carry heavy financial costs. The average healthcare data breach now carries a cost of more than $10 million, according to IBM Security. And those are costs hospitals don’t need when they are facing serious financial difficulties.

However, more hospitals are focusing on the impact of cyberattacks on patient care, and Cagle says that’s appropriate.

“I think at the center of everything, we really should be thinking about the patient first,” Cagle says.