Getty Images/iStockphoto

Hackers Favor Small Hospitals, Health Centers as Ransomware Targets

Small hospitals and healthcare centers are prime ransomware attack targets, as hackers see an increased likelihood these providers will pay the ransom demand to prevent care disruption.

The majority of reported successful ransomware attacks on the healthcare sector affect facilities with fewer than 500 employees. According to the latest RiskIQ report, these smaller providers are prime targets due to the increased likelihood that they’ll pay the ransom demand to prevent care disruption.

In fact, the RiskIQ intelligence brief on ransomware in the healthcare sector found that 70 percent of analyzed ransomware attacks impacted small providers. And these attacks on healthcare facilities have increased 35 percent between 2016 and 2019.

Calling the COVID-19 pandemic a perfect storm for cyberattacks, RiskIQ researchers studied 127 ransomware attacks from the last three years to determine how hackers have adjusted their attack methods to increase effectiveness of their attacks and ways providers can best protect patient data.

“This digital revolution happened quickly, but with the outbreak of COVID-19, it has suddenly gone into hyperdrive,” researchers wrote. “Almost overnight, workforces and business operations decentralized and were flung around the world, widening the protection gaps and decreasing visibility into their attack surfaces.”

“Cybercriminals are capitalizing on coronavirus concerns, which has led to a spike in malicious online activity that we assess will increasingly impact healthcare facilities and COVID-19 responders,” they added.

Based on its research, RiskIQ found that cybercriminals tend to target direct patient care facilities. In fact, of the 127 ransomware victims they analyzed, 51 percent were hospitals or healthcare centers; 24 percent were medical practices; and 17 percent were health and wellness centers.

Not only do hackers target these providers as they’re more likely to pay the ransom, small facilities are singled out due to their “lean security support.” Data shows that about three out of four small- to medium-sized hospitals lack an on-staff IT security leader.

Notably, the average ransom demand for the analyzed attack was $59,000. The amount does not include downtime and recovery costs, which earlier research shows causes an average of 10 days of downtime and about 8 percent in data loss.

Of those infected with ransomware, just 16 percent paid the ransom. As noted by the FBI, Microsoft and others, paying the ransom should be a last resort as just 50 percent of recovery decryption keys are effective. Hackers may also target the organization in future attacks given their willingness to pay the ransom.

RiskIQ also noted ransomware attacks also have a serious impact on patient safety, with data showing victims can expect to see as many as 36 additional deaths per 10,000 heart attacks each year.

There has also been a steady increase in class-action lawsuits against healthcare facilities that fall victim to ransomware. In the last few months, DCH Health System in Alabama, Hackensack Meridian Health, Health Quest, and the University of Washington Medicine, and a host of others have all been sued by patients impacted by these organizations’ ransomware incidents.

Prevention Recommendations

RiskIQ stressed that backing up data may no longer be enough to restore systems infected with ransomware, as hackers have increasingly targeted backup processes and tools. An initial cyberattack will lay dormant on the system, allowing backups to be created that contain ransomware.

Once the malware is activated, the backups are then corrupted with the ransomware, as well. But RiskIQ stressed providers should continue to employ segmented, offline backups, as not all ransomware variants compromise backup data. Backup data should be stored offline or on a different network and encrypted.

Organizations also need a strong and practiced incident response plan to reduce the impact to patient care if a provider falls victim. And security leaders must track the digital assets on the enterprise that are connected to the organization outside of the firewall, as hackers are actively looking for unknown, unprotected, and unmonitored digital assets.

As the COVID-19 pandemic has expanded the threat surface with significantly more employees working remotely, RiskIQ stressed this step is increasingly crucial. For the same reasons, security leaders should also be aware of vulnerabilities on devices outside their firewall.

For example, many of the most popular Virtual Private Network platforms have serious vulnerabilities that could allow a hacker to gain access to the enterprise network. While those flaws were made public more than a year ago, thousands of those devices have been left unpatched. And hackers are exploiting those flaws for financial gain.

“The importance of patch management cannot be overstated when developing strategies to reduce risk of ransomware and other malware infection,” researchers wrote. “To harden their networks and connected equipment, healthcare facilities with devices running open services should place them behind a firewall.”

“They should also whitelist via the firewall any external IPs which require access. Placing these devices within a VPN adds another layer of protection,” they added. “Organizations can improve individual readiness for phishing attempts by taking part in phishing training.”

Security leaders should also be aware of current ransomware threats and keep track of attack trends. Microsoft also recently provided ransomware guidance to healthcare organizations, in light of a number of successful ransomware attacks on hospitals during the pandemic.

Most recently, MalwareBytes provided insights into advanced-persistent threats plaguing the healthcare sector during the pandemic, following a recent joint alert from the Department of Homeland Security Cybersecurity and Infrastructure Agency and UK National Cyber Security Centre.

MalwareBytes found hackers are leveraging several attack vectors, leveraging the Coronavirus as a lure to entice victims. Those methods include template injection, malicious macros, RFT exploits, and malicious LNK files. Much like the joint alert, researchers noted APT threat actors will continue to leverage the crisis to craft sophisticated phishing campaigns.

Next Steps

Dig Deeper on Cybersecurity strategies