For healthcare end-users, the impact of a cyberattack does not quickly fade. That's according to Morphisec's 2021 Consumer Healthcare Cybersecurity Threat Index. Our survey of over 1,000 US consumers found that within the past year, 20 percent of people were impacted by a cyberattack or data breach due to one of their healthcare providers. Compared to last year, when 21 percent of consumers said the same thing, our research shows that consumer awareness of healthcare cyberattacks is becoming alarmingly consistent.
This is a stark contrast from our 2019 Consumer Healthcare Cybersecurity Threat Index, where only 6 percent of consumers reported experiencing a cyberattack or data breach related to their healthcare provider. The dramatic increase in the proportion of healthcare consumers impacted by cybercrime since then shows that even though the threat to healthcare institutions from ransomware and other cyber threats was already proliferating, the COVID-19 pandemic has catalyzed and entrenched this threat. With digitization continuing at pace and many providers permanently changing how healthcare is delivered, received, and managed, the link between cybersecurity and consumer health is now impossible to ignore.
Looking at the threat landscape facing healthcare institutions shows that the primary cyber threat for healthcare providers and consumers is now ransomware. Last year, 560 healthcare providers experienced ransomware attacks, making health one of the top three most targeted industries for ransomware, alongside construction and manufacturing. From a cybercriminal's point of view, the outsized proportion of ransomware attacks on healthcare has clear reasoning. For financially motivated, amoral cybercriminals, the healthcare industry's inherent vulnerabilities dramatically increase the chances of a successful ransom payout.
With patient lives placed at risk when systems fail and invaluable healthcare records on file, care-focused institutions essentially have zero tolerance for the kind of operational downtime that ransomware attacks can cause. Accordingly, health centers, particularly smaller hospitals, are among the most likely businesses to pay ransoms in any sector. Regrettably, this fact, alongside the wider target size created by digitization, has not gone unnoticed by cybercriminals. With the average ransom paid from a successful attack now over $300,000, healthcare providers make a tempting target for extortion efforts.
Aside from their increased likelihood of paying when faced with ransom demands, healthcare providers are valuable targets for additional reasons. On one level, most healthcare institutions process and store large amounts of personal health information--a layer of data far richer than personally identifiable information stored in other databases. Because PHI has an essentially unchangeable nature, healthcare data stands as the most valuable kind of stolen personal information — patient records can fetch up to $1,000 each on the dark web.
The continued evolution of ransomware also means that cybercriminals can extract this kind of data without compromising their efforts to extract ransoms. New strains of ransomware, such as Doppel Paymer, enable threat actors to siphon outpatient records while locking down systems simultaneously.
As invaluable pieces of infrastructure, healthcare institutions are also targets for state-sponsored threat actors whose aim is focused on causing disruption and stealing intellectual property rather than just for financial gain. For example, in 2019, state-backed threat actors attacked a US-based cancer research center by trying to entice researchers into opening a document that referenced a conference held by the targeted organization. Research has shown how threat actors could theoretically create malware capable of misdiagnosing high-profile patients. In one terrifying prediction from this research, cybercriminals could even use deep learning to add or remove tumors from individual MRI scans.
While cybersecurity is on track to become a significant factor influencing both consumer choices and patient healthcare outcomes, for providers, the cost of falling victim to ransomware attacks is already highly pertinent. Due to the difficulty of remediating and shutting down infections within healthcare settings, the average healthcare data breach costs $7.13 million — making it one of the hardest-hit industries overall.
Unfortunately, this cost is likely to increase. With healthcare increasingly digitized and healthcare institutions leaning on network connectivity to enable better patient care through increased use of telehealth and IoT devices, healthcare institutions' inherent attractiveness as targets is constantly growing. Simultaneously, ransomware's effectiveness and evasiveness are also evolving to enable more devious methods of extortion. Critically, however, aside from the costs of remediating an attack, the long-term outcome of falling victim to ransomware can have an incalculable impact on consumer confidence.
In response, healthcare providers have no choice but to reassess their cybersecurity posture and ensure that they can mount a proactive defense against devastating ransomware attacks. As long as healthcare institutions remain attractive to threat actors, patient health will be at risk.