To pay or not to pay: Cyberattack ransoms in healthcare

Deciding whether to pay a ransom in a healthcare cyberattack is a major dilemma. On one hand, paying the ransom might quickly restore access to vital patient data and minimize disruptions to healthcare services, which can save lives. However, this approach has serious drawbacks. In the end, organizations need to understand both sides of the coin realizing that there is no one size fits all approach.

The nature of cyber threats faced by healthcare organizations

Over the years, the nature of cybersecurity threats in healthcare has evolved significantly. Initially, attacks were often simple malware or viruses that disrupted systems. However, today’s attacks are more sophisticated and targeted, often involving ransomware, where attackers encrypt a healthcare provider’s data and demand a ransom to unlock it. An ESSEC Business School report on the state of cybersecurity in healthcare, “One of the most popular types of cyber-attacks mainly targeting hospitals is ransomware. The list of hospitals hit by this type of attacks keeps getting longer and examples of such attacks are flooding the news…”

Ransomware attackers exploit the fact that healthcare services are critical and time-sensitive; hospitals and clinics can't afford lengthy disruptions, making them more likely to pay ransoms to quickly regain access to their data and systems. Ransomware is so prevalent in healthcare because of the type of services provided and the value of the data held. Healthcare organizations often prioritize immediate patient care over long-term IT investments, sometimes leaving their systems more vulnerable to attacks. The urgent need to restore services to mitigate risks to patient health often compels these organizations to pay the ransom, inadvertently encouraging more attacks of this nature.

The consequences of paying the ransom 

Healthcare organizations often face immense pressure to restore services quickly to minimize patient care's impact, which can be a matter of life and death. However, the idea that paying the ransom is an immediate resolution is largely a myth. Even after paying, there’s no guarantee that data will be fully restored or that the criminals won’t leave malware behind. A study published in Digital Health provides an insight into the practical reason why ransoms often get paid, “Like in other industries, companies often find that paying the ransom could be less impactful on operations and profit margins than attempting a recovery of the compromised IT systems without the decryption key needed to remove the malware. The Vermont Hospital estimates that the cost due to delays in hospital operations from an attack in 2020 was on the order of $1.5 million per day.” 

The long-term consequences of paying ransoms include: 

• It financially fuels the cybercrime industry, encouraging more attacks. 
• It can lead to repeated attacks on the same organization, as criminals mark it as an easy target. 
• There's the issue of trust; stakeholders and patients lose confidence in the organization's ability to protect their sensitive information.

In the United States, the legality of paying ransoms is a complex issue. While not explicitly illegal, US law does have regulations that complicate the payment. For example, if the ransom payment is to a group that's sanctioned by the US government, then paying that ransom can be seen as violating those sanctions. The US Treasury’s Office of Foreign Assets Control (OFAC) discourages ransom payments to sanctioned groups and individuals, emphasizing that such payments can undermine national security. Moreover, the FBI discourages ransom payments, citing the reasons above and the lack of guarantee that compliance will result in data recovery.

The challenge of not paying

The reasoning behind not paying the ransom in cyberattacks is rooted in the long-term benefits of deterrence and security. By refusing to pay, healthcare organizations send a clear message to cybercriminals that ransomware is not a profitable endeavor with them, which can help deter future attacks. Not paying also helps ensure that funds are not funneled into criminal enterprises, which could otherwise be used to enhance their attack capabilities.

However, choosing not to pay often leads to longer downtimes as the organization works to recover lost data from backups or attempts to rebuild systems from scratch. During this recovery period, patient care can be severely disrupted. Medical data might be inaccessible, leading to delays in treatment, which can have dire consequences for patient health and safety.

In the United States, healthcare organizations are not left to fend for themselves against ransomware attacks. There is considerable support available, both in terms of resources and guidance. Federal agencies like the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) provide guidelines and best practices for ransomware prevention and response. Additionally, these organizations can receive aid in the form of cybersecurity tools and frameworks to help prevent future incidents.

The reality of cyberattack ransoms 

An HHS report on cybersecurity trends shows a sharp increase in the severity and financial demands of these attacks. From 2020 to 2021, the average ransom demand surged by 45%, reaching about $247,000. The scale of demands has escalated dramatically; while the largest known ransom in 2020 was $30 million, by mid-2021, demands soared to $70 million during the Revil/Kaseya incident, and a staggering $240 million was demanded in the Hive attack in November 2021.

More healthcare organizations are finding themselves paying hefty ransoms, with the proportion of victims paying over $1 million nearly tripling from 4% to 11%. Despite the high cost, just under half of all targeted organizations end up paying the ransom, motivated by the need to regain access to crucial medical data. Fortunately, the majority of these organizations—99% of them—do get back at least some of their data after paying. However, the recovery is often partial; on average, only about 60% of the encrypted data is restored. A mere 4% of organizations manage to recover all their data post-payment.

The Change Healthcare and the trickle effect of ransomware

The cyberattack on Change Healthcare in late February 2024 sent shockwaves across the U.S. healthcare landscape, illustrating the devastating short-term and far-reaching long-term impacts of such security breaches. Orchestrated by the notorious ransomware group BlackCat, this massive attack led to a complete shutdown of over 100 crucial applications that managed everything from pharmacy and medical records to patient engagement and payment services. The disruption was immediate and severe, throwing hospitals, pharmacies, and clinics into disarray as they scrambled to find workarounds for essential services like filling prescriptions and processing medical claims.

In response to this crisis, UnitedHealth Group, the parent company of Change Healthcare, along with its division Optum, swiftly mobilized an arsenal of resources aimed at curtailing the chaos. They prioritized restoring functionalities such as electronic prescribing and claims processing, needed to keep the wheels of healthcare turning. Despite their efforts, the ripple effects were palpable, with delays in treatment and financial transactions affecting millions of Americans who depend on timely healthcare services.

But the ramifications extended beyond just operational disruptions. Financially, the attack inflicted strain, prompting UnitedHealth Group to initiate support programs to assist healthcare providers with immediate cash flow needs, reflecting the depth of the economic impact. 

The long-term consequences of this attack serve as a stark reminder of the ongoing challenges in cybersecurity for healthcare. The incident revealed the sector's dependency on digital technologies but also its susceptibility to sophisticated cyberattacks, which can cripple systems and erode patient trust. In the wake of the attack, federal agencies, industry leaders, and government bodies have been forced to reevaluate and reinforce their cybersecurity strategies.

The UK Synnovis ransomware attack

In June 2024, a ransomware attack by the INC Ransom extortion gang severely disrupted major hospitals in London, showcasing the significant impact such cyber threats can have on healthcare systems. The attack targeted hospitals partnered with Synnovis for pathology services, including prestigious institutions like King’s College Hospital and Guy’s and St Thomas’. This resulted in a critical incident declaration, with operations canceled and emergency patients redirected, severely affecting services like blood transfusions and access to test results due to the loss of connection to main servers.

The immediate effects were drastic: emergency care was maintained but many routine procedures had to be postponed or moved to other facilities, disrupting patient care across several London boroughs. The long-term impacts bring to light deeper systemic vulnerabilities within the healthcare sector to cyber threats, even across the pond. Despite the NHS's efforts to mitigate the damage by collaborating with the National Cyber Security Centre, the fact that 3 TB of sensitive data were stolen and leaked underscores the severe risk of data breaches in healthcare. 

Ascension health and the large scale effect of a ransomware attack

In May 2024, Ascension Health, a network of Catholic hospitals in the US, fell victim to a cyberattack that disrupted operations and potentially affected 13.4 million people. The attack prompted an immediate response, with the healthcare provider engaging cybersecurity experts Mandiant and notifying authorities to investigate and mitigate the impact. Despite disruptions to clinical operations, the healthcare teams at Ascension were well-prepared, having initiated emergency procedures to ensure patient care remained as unaffected as possible. This attack highlights healthcare organizations' escalating challenges from cyber threats, emphasizing the necessity for robust cybersecurity measures.

Globally, the financial repercussions of cyberattacks are mounting, with the average cost hitting $4.45 million in 2023. However, Ascension’s proactive incident response strategies demonstrate valuable lessons in minimizing these costs. Data shows that breaches contained within a shorter lifecycle (fewer than 200 days) cost significantly less, about $1.02 million less than those that aren't contained as quickly. The use of threat intelligence and effective incident response strategies can expedite the detection and containment of breaches, further reducing costs and operational impacts.

The HHS measures against cybersecurity

The UPGRADE program launched by ARPA-H marks a stride in the HHS's dedication to combatting cyber threats in the healthcare sector. With an investment of over $50 million, the program aims to automate and enhance the security of hospital IT systems. It features a suite of tools that can proactively scan for vulnerabilities, and when threats are detected, it swiftly develops, tests, and deploys patches to protect hospital operations. 

This initiative ensures the continuity of patient care in the face of cyber threats and boosts the overall cyber resilience of healthcare facilities. UPGRADE provides hospital staff and patients with increased security and peace of mind by speeding up the process from threat detection to the deployment of solutions.

Best practices

1. Segmented network infrastructure with enhanced controls: Deploy micro-segmentation to create granularly secure zones in networks that can isolate critical sections of the healthcare infrastructure, such as patient records, financial information, and research data. This minimizes the lateral movement of ransomware within networks.
2. Real-time monitoring and behavioral analytics: Implement real-time monitoring and behavioral analytics tools that utilize machine learning to detect unusual activities that deviate from normal operations. These tools can quickly identify and quarantine ransomware activities before they spread.
3. Advanced endpoint protection: Equip all endpoints, including mobile devices and IoT devices like medical equipment, with next-generation antivirus and endpoint detection and response (EDR) solutions that are capable of identifying and responding to ransomware signatures and tactics.
4. Healthcare-specific cybersecurity frameworks: Adapt and implement cybersecurity frameworks specifically designed for healthcare settings, such as the NIST Cybersecurity Framework tailored for HIPAA compliance. Regularly update the security measures as per the framework's guidelines.
5. Regular security audits and penetration testing by external experts: Conduct comprehensive audits and penetration testing more frequently, utilizing external experts who specialize in healthcare cybersecurity. These experts can provide an unbiased perspective and identify potential vulnerabilities that internal teams might overlook.
6. Incident response simulations: Regularly conduct detailed ransomware attack simulations to test the effectiveness of current incident response plans. Adjust these simulations to reflect the latest ransomware techniques and ensure that every department understands its role during an attack.
7. Dedicated cybersecurity roles: Establish dedicated roles within the healthcare organization, such as a Privacy and Security Officer who specializes in healthcare security, to oversee the development and implementation of cybersecurity strategies.
8. Secure configuration of medical devices: Ensure that all medical devices are securely configured and regularly updated to guard against ransomware. Implement strict controls on who can access and update these devices.

See also: HIPAA Compliant Email: The Definitive Guide

FAQs

What is a ransomware attack?

A ransomware attack is a type of cyberattack where hackers encrypt an organization's data and demand payment in exchange for the decryption key.

What is the difference between a Privacy and Security Officer?

The difference between a Privacy and a Security Officer is that a Privacy Officer focuses on ensuring compliance in the use and safeguarding of personal information, while a Security Officer is responsible for implementing and managing physical and digital security measures to protect an organization's assets and information.

What is the role of the HHS?

The HHS enhances and protects the health and well-being of all Americans by providing effective health and human services and fostering advances in medicine, public health, and social services.