Hospitals and health systems: Cybersecurity, ransomware and how to prepare

The healthcare industry has increasingly become a target for cyberattacks on hospitals via hackers and ransomware. The average hospital data breach costs $7.13 million, and it takes longer to recover, highlighting the critical need for robust healthcare industry cybersecurity. This alarming trend has led to a surge in hospital cyberattacks and instances of hospitals being hacked in recent years.

There are two primary reasons why the healthcare industry attracts so many cybercriminals and threat actors, making healthcare organizations particularly vulnerable to ransomware attacks:

1. The vast array of personal data: Hospitals and healthcare facilities store a lot of personally identifiable information on patients in electronic health records (EHRs). This patient data allows criminals to use it in a variety of crimes for financial purposes, like stealing a person’s credit, or for medical identity theft to gain access to prescription drugs.
2. Softer targets: Historically, hospitals, clinics and other healthcare organizations have lagged behind other industries in cybersecurity. They don’t have robust budgets or staff and usually operate within tight margins. There are also many nonprofits in the sector, which do not have the budgets seen within better-funded organizations. This situation, combined with the prevalence of legacy systems, creates a larger attack surface for cybercriminals, making rural critical access hospitals particularly vulnerable.

Some of these challenges will not have easy fixes, but there is one clear thing everyone can do to greatly reduce their risk: Teach your teams how to avoid inviting bad actors into your information systems by identifying different types of cybersecurity threats.

Healthcare ransomware threats are rising

There are different kinds of attacks leadership should keep in mind. For example, insider threats can occur when workers in the building feed information to outsiders. But these days, ransomware attacks are becoming more common and getting the most attention in ransomware news. The healthcare industry has seen a significant increase in healthcare ransomware attacks in 2023, with hospital ransomware attacks in 2023 reaching alarming levels.

Ransomware is a pretty simple concept. This is a malicious program that searches for files and encrypts them with an encryption key only the attacker has. Once encrypted, only the attacker can access those files. For the hospital to regain access, it must pay the attacker a ransom for the encryption key. Once the key is received, you can decrypt the files.

Ransomware attacks are different in how the threat vector is exploited.

A common method involves social engineering attacks. The threat actor targets a hospital’s employees with emails or text messages that appear to come from legitimate senders. If these are convincing enough, a user could click on a malicious link or divulge their user ID and passwords. If the exploitation is successful, the attacker can then encrypt files or target other systems. Also at this point, the attacker can increase their privileges and reach deeper within the environment to extend the ransomware.

Another threat vector is with system vulnerabilities. This can enable an attacker to gain privileged access. If an attacker can exploit the vulnerability to do this, it usually gives them broad network access to other systems and data.

Once the attacker gains control within the system and encrypts the files, they will demand a ransom. Healthcare organizations are forced with a decision: pay and hope to get the encryption key in return. Or don’t pay and be locked out of their files potentially leading to severe patient care consequences and even threat-to-life crimes.

How to react if your healthcare organization experiences a ransomware incident

If your hospital is hacked or experiences a ransomware attack, do you know what do?

First, hospitals and healthcare systems should avoid paying the ransom, if at all possible. It will come down to a business decision by leadership — and depending on circumstances — you may have no choice but to pay. But just because you pay does not mean the threat actors will provide the keys. Also beware that trying to negotiate down the ransom price could backfire.

If your systems are backed up, begin investigating if data is intact and if files are retrievable. If backups are corrupted or otherwise infected, or the recovery time is too long, an organization may choose to pay the ransom to minimize the financial impact and disruption to hospital operations.

If you are hit with a ransomware attack, here are some immediate questions to ask:

• Who needs to be part of a response team (not just IT)?
• Is it possible to identify where the attack started?
• Who outside of the organization can help respond and recover?
• Do you have cyber insurance?
• Is it possible to isolate the attack?
• How do you recover? Are there backups in place?
• When and how will you alert patients/customers about the attack?
• Do you have to contact regulators?
• Do you pay the ransom? What are your criteria for making the decision?

Why are health care organizations particularly vulnerable to ransomware attacks?

Healthcare organizations face unique challenges that make them attractive targets for cybercriminals. Understanding these vulnerabilities is crucial for developing effective defense strategies:

• Valuable data: Healthcare facilities store vast amounts of sensitive patient information, making them prime targets for data theft and extortion.
• Critical operations: The life-saving nature of healthcare services means that any disruption can have severe consequences, increasing the pressure to pay ransoms.
• Legacy systems: Many healthcare organizations still rely on outdated technology, which is often more vulnerable to attacks.
• Limited resources: Tight budgets and staffing constraints can lead to inadequate cybersecurity measures.
• Complex networks: The interconnected nature of healthcare systems, including medical devices and telemedicine platforms, creates multiple entry points for attackers.

How to develop the right plan for your healthcare organization

If a ransomware attack hits, you can prevent downtime and avoid interruption of service if you plan accordingly. Let’s look at steps you should take right now to protect your healthcare organization:

• Back up your systems.
• Test your backups.
• Isolate your backups from the rest of your environment and make sure they require separate credentials.
• Train your end users regularly against social engineering attacks, especially since these have become harder to recognize.
• Train your response team (internal and external) on how to react if a ransomware attack occurs.
• Form an incident response team to execute your plan:
  • IT (internal and external)
  • Security
  • Communications
  • Legal
  • Other leaders

• Regularly test your systems for vulnerabilities and fix what you find.
• Have a robust patching and software update process.
• Isolate your systems to reduce your exposure and attack surface. Think not only about separate network segments, but also unique user ID/password credentials to manage them.
• Sandboxing of critical systems with critical alerts can notify teams if unexpected traffic is detected.
• Lock down risky protocols like RDP and SMB.
• Perform risk assessment to identify high-risk areas frequented by staffers, vendors and anyone else with access to your systems.
• Deploy malware detection and prevention systems and network intrusion prevention systems.

How Wipfli can help

Wipfli can support your hospital or health system by advising best practices to follow to guard against cyberattacks and ransomware attacks. Our experts can develop a plan specifically for your IT systems to prevent attacks with the aim of keeping you online and fully operational, minimizing the risk of ransomware-as-a-service and other emerging threats.

Contact us to schedule a consultation. During our talks, we will examine your concerns, and you can hear about solutions Wipfli can deliver for your healthcare organization to enhance cybersecurity and protect against the growing threat of ransomware attacks in healthcare.

Related content:

• From compliance to confidence: Mastering the new CMMC requirements
• Business continuity planning: How to prepare for a cyberattack
• 5 cybersecurity due diligence best practices