Morphisec Cybersecurity Blog

The Life-Threatening Rise of Ransomware in Healthcare

Written by Matthew Delman | April 29, 2021 at 6:15 PM

Cybersecurity is generally not the first thing on anyone’s mind when she or he is contemplating a major operation or a prolonged hospital stay. However, with the healthcare sector experiencing a constant rise in cyber attacks, the potential health impact of getting caught in the crossfire of a ransomware attack is now an increasingly frightening prospect for a significant number of healthcare consumers. 

Of the respondents to our 2021 Consumer Healthcare Cybersecurity Threat Index, over a quarter (26 percent) were most concerned with ransomware attacks shutting down their access to care. Our Threat Index also found that 61 percent of consumers are now more worried about their healthcare provider being attacked with ransomware, prevented from accessing critical files and, therefore, unable to provide them with adequate care.

With ransomware attacks making headlines and healthcare institutions serving as increasingly vulnerable targets, the rising trend of security compromises, resulting from ransomware attacks, is likely to stoke consumer anxiety.

Unfortunately, patient concern about ransomware is justified. Even though it now appears that a ransomware attack did not directly contribute to a German patient's death last year, hospitals are still vulnerable and every successful attack triggers declines in care far beyond the immediate financial impact. The rise in ransomware attacks against healthcare organizations makes a fatality almost a terrifying inevitability. 

The Downside of Digital Healthcare Transformation Is Reduced Cybersecurity

The interconnected, digital nature of modern healthcare is making patients more vulnerable. Healthcare has always been at the forefront of medical innovation, with developments in IoT technology having the potential to transform how and where patient care is delivered.

For hospitals and other care facilities, connected devices and monitors allow healthcare professionals to provide care to greater numbers of individuals, some of whom may be located elsewhere, with the same human resources. Unfortunately, this technological transformation has a downside — increased vulnerability to ransomware. 

With the adoption of new technologies, including IoT and telehealth, catalyzed by the COVID-19 pandemic, hospitals, and patient care facilities are rushing to deploy remote and time-saving solutions. In a 2020 IEEE survey of CIOs and CTOs, 42 percent said they had accelerated IoT technologies due to the pandemic. The downside of this rushed digital transformation is that healthcare technology infrastructures are now home to larger numbers of devices, all of which are potentially vulnerable endpoints.

Many of these devices operate on outdated legacy systems, which expands their vulnerability to exploits. For example, in the infamous German healthcare ransomware that nearly claimed a patient's life in 2019, the attackers exploited a vulnerability in the Citrix ADC that had been known since the previous January but had remained unpatched.

Patching is another issue in healthcare; hospitals and other providers often can’t shut down portions of their infrastructure to deploy a patch as any technology interruption can create a potentially life-threatening delay in treatment. 

As more devices become network endpoints, threat actors are also getting better at lateral movement. New tools such as the Ryuk human-operated ransomware are specifically designed to propagate through networks undetected, making every endpoint a prime target. Traditional reactive defensive strategies can’t update quickly enough to catch every possible vector of attack that an adversary leverages, especially as these defense evasion capabilities become more prevalent. 

Further causing issues is that IT teams like the one at Morphisec customer Freeman Health must secure all this new infrastructure with the same security budget. This is largely because healthcare, like schools, focuses their technology budget on improving patient care and the ability of medical professionals to get fast access to health data when it’s needed. These two realities--the rise of new medical technologies and limited security budgets--create a veritable perfect storm of ransomware risk in healthcare.

Patients Are Getting Caught in the Ransomware Crossfire

Healthcare environments are a prime target for financially motivated cybercriminals, and that’s reflected in the more than 600 reported successful ransomware attacks on clinics, hospitals, and research institutes carried out in 2020 alone. The reason for this is that personal health information, or PHI, can’t be changed as readily as personally identifiable information hosted in retail or financial services databases. PHI is thus more valuable, with records fetching up to $1,000 each on the dark web.

As a result, protecting patient data from threat actors is already a significant struggle for providers — experiencing a network breach now costs the average victim over $7 million. However, while the financial costs of data breaches are mounting, they still pale in comparison to the potential losses that a ransom-seeking attacker could inadvertently cause. 

It’s important to note here that adversaries aren’t attacking hospitals out of a desire to harm people. Cybercriminals' primary goal is to seek ransom payments and exfiltrate valuable patient data, which is a goal that makes freezing care inevitable. By shutting healthcare teams out of vital systems, paralyzing ransomware attacks can both make urgent patient care impossible and cause lasting damage. 

For hospitals that fall victim to ransomware attacks, the average downtime for electronic health records is 14 days — a lapse that could mean the difference between life and death for vulnerable patients. The need to remediate infected systems can also make care impossible for extended periods. As seen during the spate of attacks on hospitals across the US last year, ransomware attacks can even make entire departments unavailable and offline, forcing staff to move vulnerable patients elsewhere.

Healthcare CyberSecurity Is Vital for Patient Health

Even though the integration of connected devices and new systems within healthcare environments undoubtedly inflates cybersecurity risks, this threat vector is likely to grow even further. In a post-pandemic world, digital healthcare transformation is expected to continue gaining traction as healthcare providers permanently adapt to digitized operational processes

With the number and variety of healthcare endpoints likely to expand, relying on a security posture based around the network perimeter and traditional approaches to endpoint security will ultimately not be adequate going forward. Instead, healthcare providers need to build a resilient, proactive defensive strategy that leverages a zero-trust methodology alongside lightweight deterministic security tools to provide comprehensive endpoint security

This results in a zero-trust, prevention-first strategy that extends the concept of zero trust beyond the network and beyond identity all the way down to endpoints and the applications that run on them. Only by taking a default-deny approach to runtime security can hospitals truly secure their critical patient data and infrastructures against the rising tide of ransomware. 

Final Thoughts

While systems can be remediated and financial losses recovered, patients' lives, and the reputational damage that a fatal ransomware attack would inflict, are irreplaceable. In response, healthcare providers need to put protecting patient health at the core of their cybersecurity strategy. With every endpoint now a potential vector for ransomware, failing to protect critical technology infrastructure ultimately means failing to protect patients.