Ransomware attacks on hospitals are rising

From left, Troy Ament, Fortinet's health care field chief information security officer; Justin Collier, chief healthcare advisor, World Wide Technology; and John Riggi, national advisor, cybersecurity and risk, the American Hospital Association

San Diego - Ransomware attacks on hospitals are becoming more commonplace, partly for one elementary reason.

They’re proving to be successful. While ransomware attacks have plagued other industries for many years, hackers and bad actors have only been hitting healthcare systems in the last few years.

“The adversaries have been able to monetize the threats,” said Troy Ament, Fortinet’s health care field chief information security officer.

“In healthcare, they’ve been able to understand the operations of the environment, and shut the operations down,” Ament added.

Plus, health systems have paid ransoms, which only encourages bad actors, he said.

Ament and other cybersecurity experts painted a grim picture of the growing threat of ransomware to healthcare systems during a discussion at the American Hospital Association Leadership Summit.

Cyberattacks can pose enormous costs to hospitals and threaten the safety of patients. Health systems need to develop strong defenses and craft detailed recovery plans, the analysts said. The average cost of a healthcare breach topped $9 million in 2021, the most costly of any industry, according to an IBM report.

Hundreds of cyberattacks targeted health systems and patient health information in 2021, and experts have projected this year’s total could well be higher. Millions of Americans have already had their health information exposed this year.

Increasingly, health systems should probably view a cyberattack as not just a worse-case scenario, but one that they will inevitably confront.

“It’s more of a question of when that could happen,” said Justin Collier, chief healthcare advisor of World Wide Technology.

Pandemic brings more attacks

Ransomware attacks have escalated during the COVID-19 pandemic, as hospital systems have been dealing with waves of patients, staffing shortages and financial challenges. The pandemic itself played a role in the uptick of attacks.

Health systems had to reinvent the way they work during the pandemic, with many key players working remotely. Health systems launched or expanded services such as telemedicine, hospital-at-home services, and remote patient monitoring.

Many of those initiatives didn’t include appropriate safeguards, said John Riggi, the American Hospital Association’s national adviser for cybersecurity and risk.

“We as an industry, as a sector, were forced to rapidly deploy network connected technologies,” Riggi said.

“It expanded our attack surface,” Riggi said. “What did bad guys do? They increased attacks.”

Collier concurred that the rapid expansion, in addition to the greater number of targets, encouraged more hackers to launch attacks.

“Haste also meant some of the safeguards weren’t put in place,” Collier said. “It’s increased some of the areas that can be breached because some of those safeguards weren’t put in place.”

• Related story: How hospitals can improve their cybersecurity

A big market

Patient records command much higher prices than other types of information on the dark web, Collier said.

One patient’s medical record will go for as much as $1,000 per patient record, significantly more than a Social Security number or a credit card number.

“When you deal with the most intimate details of a person … you can’t change those things,” Collier said. “Those are data that will always be valuable.”

As Collier said, “If someone gets a hold of your genome, that’s not something that can change.”

Electronic health records also contained details of a patient’s history, including chronic conditions.

“The enduring value of healthcare records is very significant,” Riggi said.

“You can’t change your medical diagnosis … that’s why they have enduring value for bad guys.”

In addition to patient information, health systems also deal with scores of businesses, medical research, and academic institutions, to name a few. Plus, they contract many services to other vendors who have access to their systems, and ransomware gangs are going after those third-party partners.

The healthcare industry combines more highly valuable sets of data than any other industry, Riggi said.

“When you combine them in one organization, they become exponentially valuable,” he said.

• Related story: How a rural health system improved its cybersecurity

Growing threats

Cybergangs have increasingly been cooperating and exchanging information in recent years, the analysts said.

It’s the emergence of “ransomware as a service,” Riggi said. Cybercriminal sell tool kits to bad actors, along with instructions on how to hack into systems.

Increasingly, state-sponsored cyberattacks are becoming a growing threat. Federal authorities warned healthcare organizations this month that cyber attackers backed by the North Korean government have been targeting the health sector. Authorities have also warned of the possibility of attacks from Russia following the invasion of Ukraine.

Hospitals have been targets of double-extortion in ransomware attacks, Ament said.

With double extortion, bad actors steal health records and demand payment. The organization pays, and the attackers return some, but not all of the data. Then they ask for another payment and warn they will release the private health information if they aren’t paid.

“That’s something we’ve relatively recently seen an uptick in,” Ament said.

Riggi also addressed a chilling new extension of that threat, dubbed “triple extortion.” Criminals who have stolen private health information are coaxing the patients themselves to call the health system directly, pleading with the organization to pay the ransom.

“It creates tremendous pressure on the organization,” Riggi said.

• Related story: Facing ransomware, hospitals can't use 'hope as a strategy'

Protecting patients

Cyberattacks don’t just threaten health systems from a financial standpoint. Hospitals need to understand the risk for patient safety, particularly because an attack could hamper a health system for weeks, if not longer, Ament and the other experts said.

Hospitals rely on their electronic health records. Without access to those records, patient care becomes much more difficult.

Delays in treatment can imperil patients, particularly those battling cancer.

“Think about chemotherapy, radiation therapy,” Collier said. “The time sensitivity for that is significant.”

Here in San Diego, a 2021 cyberattack of Scripps Health disrupted patient care and forced the system to use paper records for weeks. The health system said the attack cost nearly $113 million.

Beyond electronic health records, cyber attacks can disable email and phone systems, along with medical equipment. As Collier notes, if hospitals can use equipment to run tests, diagnosis and treatment will be delayed.

Hospitals must “make sure you have an adequate recovery strategy,” Collier said. The plan needs to include how to maintain business continuity and clinical continuity.

The breach of a health system is “a slow moving, mass casualty attack,” Riggi said.

“Any type of clinical services …could be disabled in a ransomware attack,” he said.