HIMSS 2022: Ransomware attacks threaten healthcare systems

Many breaches aren’t discovered until months after the fact, and ‘double extortion’ is a growing threat, experts said at the HIMSS Conference.

Orlando, Florida - Srinivas Loke said he wasn’t trying to scare anyone.

Still, Loke offered some sobering assessments on the risks of ransomware at the HIMSS 2022 Global Health Conference & Exhibition Thursday morning.

Ransomware attacks are rising, said Loke, the senior director, product management at Ordr, a cybersecurity company based in California. Data breaches in healthcare affect 26.4 million records in the United States alone.

Roughly 4 in 10 healthcare organizations (39%) become aware of breaches months after the fact, and the average discovery takes about six months, he said.

Aside from the considerable financial costs, Loke talked about the risks to patients when breaches prompt hospitals to divert patients or delay procedures.

“It’s going to cause deaths,” Loke said.

Earlier this week at the HIMSS conference, Christian Dameff, an emergency physician and cybersecurity expert, said the risks to patient safety from cyber attacks merit much more attention.

Ransomware has bedeviled the healthcare industry – and many other industries – in recent years. But ransomware attacks have evolved, Loke said.

“A couple of years ago, ransomware was either you pay the ransom or don’t pay the ransom," he said.

Now, some attacks involve the practice of “double extortion,” where attackers breach a healthcare system, steal data and then threaten to release it unless they are paid.

“The double extortion technique has become very common when it comes to ransomware,” Loke said.

Hundreds of breaches involving hospitals and healthcare systems were reported to the federal government in 2021. The average healthcare breach cost $9.4 million in 2021, an increase of $2 million over the previous year, according to a report by IBM. Analysts have projected this year could be worse.

Criminal organizations are selling ransomware as a service to those hoping to extort businesses. “It’s very easy to sell this as a service,” he said.

Federal authorities this year warned about the Lockbit cybergang, which offers ransomware as a service. Authorities have said the group typically doesn’t target hospitals but nonetheless warned that ransomware is a major threat to the healthcare industry.

Crane Hassold, director of threat intelligence of Abnormal Security, told Chief Healthcare Executive in February the ransomware-as-a-service model has become more common in cybercrime during the last several years. “It’s very much like a business,” Hassold said. “Actors run operations and maximize profits while doing the least amount of work possible.”

It’s virtually impossible to eliminate all the risks from cybersecurity, Kevin Tambascio, manager of cybersecurity for the Cleveland Clinic, said at the HIMSS session.

“We’re trying to battle ransomware and trying to keep the level of risk at a manageable level,” he said.

Many breaches involve very basic vulnerabilities that can be addressed by healthcare companies engaging in more diligent training and greater education of the threats to the entire organization.

“It comes down to people, process and technology,” Tambascio said.

Train employees “so they know the danger of clicking something,” he said.

“We know people are still the weakest link when it comes to security,” he said.

Tambascio also talked about the importance of developing robust emergency response plans, which involves coordination within the entire health system.

Still, Tambascio stressed healthcare organizations must bolster their defenses to minimize the chances of a ransomware attack, or at least mitigate the potential damage.

In the wake of Russia’s invasion of Ukraine, federal authorities have warned healthcare organizations must be on high alert for cyber attacks.

The American Hospital Association has said it’s worried that Russian-backed cyber attackers may target hospitals and health systems. Hospitals could suffer collateral damage if Russia launches cyberattacks aimed at Ukraine and the malware breaches U.S. healthcare systems, even unintentionally.