The sector was the most likely to deploy anti-ransomware software. But it was still the most likely to get hit.
How rampant is the ransomware issue in healthcare? Very, according to a new survey.
The report, commissioned by cybersecurity firm Sophos, quantifies it. The respondents were IT managers from 2,700 mid-size (100 to 5,000 person) companies representing 12 different sectors and 10 countries. No sector reported more ransomware attacks in the preceding 12 months more frequently than healthcare—by a large margin.
76% of healthcare organizations polled reported they were hit, followed by energy utility companies with 65%. Financial services, perhaps the only sector that regularly handles information as private and valuable as healthcare does, had the lowest response rate, though 45% of IT managers in the field still reported that their company had been struck by ransomware in the past year.
“Healthcare is often perceived as a soft target, leading to increased frequency of attack,” the report states. “That assumption is not without merit—healthcare tends to have an aging IT infrastructure, leaving security holes, as well as restricted resources for improving IT security.” The authors also write that healthcare organizations are perceived to be more likely to pay ransom, increasing their attractiveness as targets.
Despite having the highest rates of ransomware infections, both of the most-susceptible industries—energy/utility firms and health companies—also reported the highest rates of endpoint anti-ransomware software deployment. More than half of respondents in those fields (53%) answered that they considered such technology important and already had it, edging out the financial services sector by 1%.
The report calls that a “conundrum.” Dearth of resources, particularly for the small-to-medium-size firms surveyed, is often a factor.
“A lack of people, hardware, and software lead to patchy security, so even when one part of the organization has the necessary anti-ransomware protection, it’s not across the board. Malware can still get in,” the report states.
That echoes something Landon Lewis, founder of cybersecurity firm Pondurance, told Healthcare Analytics News™ while discussing the recent ransomware attack against an Indiana hospital system. While many ransomware attacks start with phishing emails, the attack at hand was a variety of the SamSam malware, which is typically delivered after a network is intentionally breached. Healthcare organizations often have many public-facing access points on their network, with limited oversight of them.
“They have a loose remote access policy. And I say loose in that they don’t have a large infrastructure team that can build adequate controls around access and revisit who has access to the network and how often,” he said.
That hospital has worked with Pondurance to rectify their defenses since the attack. They did pay the ransom after all, to the tune of about $50,000. But they may have gotten lucky there.
The new Sophos survey concludes with a breakdown of ransom prices midsize companies worldwide have faced. The median was $133,000: 75% of the prices were above $75,000, and 8% were higher than $1.3 million.
“The survey has also revealed that ransomware costs U.S. businesses more than the GDP of Jamaica,” the report notes in a sidebar.