In 2017, the WannaCry ransomware attack hit National Health Service (NHS) facilities in the United Kingdom, impacting both computers and medical devices. It significantly disrupted facilities’ ability to provide care to patients seeking services and underlines just how incapacitating this type of malware can be, especially in a clinical setting, where it can interrupt a staff’s ability to provide treatment.
This particular cybersecurity incident is only one line item on a fast-growing list. The prevalence of ransomware attacks and cybercriminal’s sophistication continues to grow. Though no industry is safe, the healthcare vertical unfortunately remains a popular target for attackers.
Why is the healthcare sector susceptible to ransomware attacks?
The existence of sensitive PII, healthcare and financial data at a single organization makes for a tempting target. This means bad actors looking to disrupt services, exfiltrate valuable data or make a quick profit off companies willing to pay a ransom are turning their attention to hospitals and other healthcare providers. In addition, the critical nature of the services provided adds increasing pressure on IT and security teams to quickly recover data so normal operations can resume.
As the recent COVID-19 pandemic unfolded, some cybercriminals spoke out against targeting healthcare organizations during such a devastating public health crisis, but many have continued their activities. In October of 2020, the U.S Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory highlighting the growing issue, stating that [the] “CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.”
A recent Forbes report also touched on the evolving phenomenon of bad actors and tools becoming increasingly specialized. “It’s proven lucrative for one of the most active hacking crews: the criminals behind the Ryuk ransomware. Ryuk first surfaced in 2018 and it’s been far and away the most profitable ransomware operation ever since.” Ryuk’s activities are responsible for a substantial number of attacks in the healthcare space.
In addition to the desirable data in healthcare providers’ environments, the attack surface they present is often considerable. For example, a significant number of connected devices, including IoT, can help medical professionals improve their quality of care. But, many remain on relatively flat networks, enabling ransomware to propagate to a vast number of other assets with little resistance.
Complicating things further is the number of legacy IT assets in healthcare, including XP machines, that often support business-critical systems which IT teams can’t easily replace. These all also have the potential to introduce system vulnerabilities that attackers can exploit and then use to move laterally across a network.
The cost of ransomware attacks on healthcare institutions
While the average ransom is high, several other factors contribute to the true cost of ransomware attacks.
After an attacker has successfully encrypted as many assets as they can reach and issued a ransom note, providers are likely to be unable to access the data needed for patient care and other operations. In the case of the WannaCry attack mentioned earlier, patients and resources needed to be rerouted. In many cases, hospitals and clinics also put non-emergency care on hold until the NHS could recover the impacted systems.
In addition to the price of a ransom, and what can become several days of downtime, mitigation and recovery costs are also significant. An article in CPO magazine reports that while other industries averaged around $3.86 of spend to address the impact of ransomware, healthcare organizations ended up footing an even larger bill when it comes to clean up, with an average total cost of $7.13 million.
Then, there also may be a price to pay for exposing sensitive customer data. Data exfiltration is becoming increasingly common as a tactic for negotiating. More recently, some bad actors threaten to auction off data if a ransom goes unpaid or leverage it for future financial gain and other attack campaigns.
Cybersecurity in the healthcare industry
Cybersecurity in the healthcare industry already comes with the need to navigate HIPPA and other compliance regulations around sensitive data. A successful ransomware attack, especially one involving data exfiltration, is a recipe for additional complexity — particularly when it comes during a time where many providers are already facing increased pressures under COVID-19.
However, preventing lateral movement at a healthcare organization as part of the broader security strategy can drastically reduce impact and aid in the follow-up to a successful ransomware attack. Detecting and preventing lateral movement inside your network boils down to two main focus areas: First, reduce the initial attack vector then limit the propagation paths.