How to Stay Prepared and Protected from a Healthcare Ransomware Attack

With the vast amount of Personal Health Information (PHI), financial data, and the growing reliance on digital systems for patient care, hospitals and healthcare facilities worldwide are increasingly targeted by cyber threats, particularly healthcare ransomware attacks. These ransomware threats exploit vulnerabilities in healthcare systems, aiming to lock down critical data and disrupt operations for financial gain.

A recent healthcare study by Sophos revealed that the rate of ransomware attacks against healthcare organizations has reached a four-year high since 2021. And of those surveyed, 67% were impacted by ransomware attacks in the past year, up from 60% in 2023. By understanding why healthcare data is so valuable and identifying the root causes of these breaches, organizations can take proactive steps to protect themselves from the growing ransomware threat.

What makes healthcare data an easy target for a ransomware attack?

The healthcare industry comes at particularly high risk for ransomware attacks for several factors that when combined, create an environment where PHI is not only a lucrative target, but one that is often inadequately defended against sophisticated tactics. Vulnerable reasons include the following:

1. Valuable Data – With access to sensitive personal information, including medical histories, social security numbers and financials, it makes healthcare data incredibly valuable to a cybercriminal who is looking to make a quick profit.
2. Urgency of Services – In an environment where timely access to patient data is crucial, attackers are able to exploit this urgency, knowing that organizations will have little time to decide to pay a ransom to avoid serious patient-impacting disruptions.
3. Underfunded Cybersecurity – Many healthcare organizations operate under significant financial pressures while using outdated legacy operating systems, both of which limit their ability to keep pace with more vigorous cybersecurity measures, leaving them vulnerable to attacks.
4. Human Factor – This industry in particular experiences high staff turnover, leading to inconsistent training and awareness when it comes to cybersecurity protocols, leaving them susceptible to phishing or social engineering attacks.
5. Regulatory Pressure – Healthcare organizations must adhere to strict compliance requirements like Health Insurance Portability and Accountability Act (HIPAA), which is intended to protect sensitive patient data, but can also leave many organizations overwhelmed by complicated processes.

A recent real-world example of just how costly a healthcare data breach can be is the Change Healthcare ransomware attack of February 2024. With an estimated one-third of Americans compromised in the data breach, stolen PHI ranged from health insurance information, medical records (including diagnoses, medicines, test results and images), payment information, and other personal information such as, social security numbers, passport IDs and driver’s licenses. This ransom cost Change Healthcare $22 million.

What are the most prevalent tactics used to breach healthcare organizations?

Catching organizations off-guard is what cybercriminals are best at. They do this by implementing a variety of tactics to exploit vulnerabilities throughout complex systems and human behavior. Here are some common methods:

• Phishing Attacks – Being deceptive is like a calling card for a cybercriminal and as such, doing so through malicious and fraudulent emails that appear legitimate is one of the most common breach attack methods seen in healthcare.
• Unpatched Software Vulnerabilities – Threat actors know to take advantage of weaknesses, like outdated software and legacy systems, to gain access to sensitive PHI, financial data and anything else they can grab before getting caught.
• Weak Passwords and Authentication – Two ways that a cybercriminal can take advantage of credentials is by either credential stuffing or brute force attacks. Credential stuffing utilizes stolen credentials from other breaches to gain access to healthcare systems, especially if employees use the same passwords across multiple platforms. Brute force attacks are when compromised credentials become vulnerable by means of automated attempts to guess passwords due to accounts not having multi-factor authentication (MFA) enabled.

What are the prevalent ransomware strains in healthcare in 2024?

Staying informed about prevalent ransomware strains and adopting proactive cybersecurity strategies are essential for healthcare organizations to protect their systems and sensitive data in 2024 and beyond. As cybercriminals continue to gain momentum on the healthcare industry every day, there are trends to look out for.

Many ransomware groups are now employing a double extortion tactic, where they not only encrypt data but also threaten to leak sensitive information if ransoms are not paid. Targeting healthcare systems isn’t going anywhere either. This focus emphasizes the sector’s vulnerabilities, which is often exacerbated by insufficient cybersecurity protocols.

There are several strains that have emerged as significant threats while new variants continue to evolve. The following ransomware families are particularly noteworthy:

LockBit is a ransomware-as-a-service (RaaS) operation that has gained significant traction for its speed and efficiency in encrypting systems. This type of strain is best known for targeting large organizations and often used in double extortion tactics, which is why it has become so common in the healthcare sector.

• An example of this breach is an attack on Croatia’s largest hospital, The University Hospital Centre in Zagreb, forcing it to shut down IT systems for a day.

BlackCat (ALPHV) is newer on the strain scene but has quickly garnered notoriety by cybercriminals for its advanced flexibility and adaptability based on the target’s defenses, making it a formidable threat.

• An example of this breach is the Change Healthcare attack mentioned earlier where 4TB of data were stolen and up to 1 in 3 Americas were impacted. The $22 million ransom that was paid was intended to ensure that data was deleted, but the ransomware group instead passed the stolen data to another ransomware group, RansomHub, which demanded another ransom payment.

CL0P Ransomware Gang (aka TA505) has shifted its focus to exploiting vulnerabilities in third-party software to gain access to networks using file transfers, while taking advantage of double extortion, often leading to ransomware deployment.

• The Centers for Medicare & Medicaid Services (CMS), a US federal agency within the U.S. Department of Health and Human Services (HSS) was hit with a CL0P attack that saw the data of over 3 million people be stolen.

BianLian is another RaaS model that employs double extortion techniques, looks for sophistical encryption algorithms, exploits vulnerabilities and like other strains can leak sites to apply more pressure to victims.

• In June of 2024, The Ann & Robert H. Lurie Children’s Hospital of Chicago was attacked by the Rhysida ransomware group using the BianLian strain. The cybercriminal group allegedly made $3 million from selling the data of the nearly 800,000 people it stole from.

4 Steps to stay ahead of cybercriminals looking for their next ransomware target

To help prevent a ransomware attack, there are proactive steps your healthcare organization can take to at a minimum make it harder for a threat actor. Here are four strategies:

1. Robust Back-up Systems – Implementing regular and secure data backups of critical systems can help healthcare organizations recover lost information without paying a ransom. It’s essential that these back-ups are stored offline, checked and tested regularly to prevent them from being compromised.
2. Regular Security Training – Healthcare staff can always benefit from ongoing security training recognizing that phishing attempts and other common tactics could be exploited at any time. A well-prepared and informed team can act quickly and as the first line of defense in the event of a breach attack.
3. Zero Trust Architecture – Zero Trust Architecture (ZTA) can significantly strengthen a healthcare organization’s security posture due to the assumption that threats could be both external and internal. This means that no user or device is trusted by default, regardless of whether they are inside or outside the perimeter.
4. Automated Security Validation – Implement an automated security validation tool to continuously test and verify security controls can be the difference between knowing when an attack is about to happen or when it’s too late.

Key Takeaways

It’s clear that PHI, financial, insurance and medical records are extremely valuable not only to the primary ransomware attacker but to a potential secondary attacker as well. Ransomware attacks and strains pose a significant threat to the healthcare industry, impacting patient care, finances and reputation.

Understanding the risks and being able to implement holistic cybersecurity measures will better enable your organization to protect yourself against this evolving threat.

Healthcare must keep pace with their defenses to fend off maturing technology, because in this industry, every second counts, and it’s no secret that every bit of data is worth something to someone.

To learn more about how Cymulate can help protect your healthcare facility request a demo here: