Vitalii Gulenok/istock via Getty

Why healthcare data is often the target of ransomware attacks

The healthcare industry relies heavily on IT systems. Sensitive patient data is valuable to hackers, leading to ransomware attacks that disrupt operations and endanger lives.

With healthcare, real human lives hang in the balance, as medical professionals, hospitals and clinics aim to help nurture, support and improve human life. In the modern world, healthcare is a digital business that uses various IT systems regularly.

A fundamental component of health IT systems is data. That data can include patient information, such as clinical observations, prescriptions, payment information and other personally identifiable information (PII). Healthcare data in recent years has been a very lucrative target for cyberattacks, particularly ransomware, with attackers holding healthcare information, and potentially patient lives, for ransom.

Why is healthcare such a big target for cyberattacks?

Cybercriminals are increasingly focusing on healthcare organizations, exploiting their weaknesses to gain access to sensitive information, disrupt operations and extort money.

Here are some key reasons healthcare is now a prime target for cyberattacks.

Healthcare is a treasure trove of data

Healthcare organizations hold vast amounts of sensitive information. That data can include PII, such as medical histories, Social Security numbers and financial information. PII can be valuable to attackers who might choose to resell the information in various illicit marketplaces on the dark web.

Critical nature of healthcare

Attackers aren't just looking to disrupt a service, they're looking to get paid when deploying ransomware.

The critical nature of healthcare services gives any outage from ransomware or any other cause an extreme sense of urgency as lives could potentially hang in the balance. That urgency can influence a healthcare organization to pay a ransom quickly to be able to regain and restore control of operations.

Relatively soft targets and easy entry points

Vulnerabilities in medical devices of various types have left healthcare organizations and hospital networks open to attack. In recent years, different types of devices have been connected to hospital networks providing a gateway for cybercriminals to potentially gain access and then move laterally to access more critical systems and data. Vulnerabilities in medical devices are not always easy, or sometimes even possible, to patch.

The life span of a medical device can be long, leaving several unpatched devices in an environment. There is also a lot of complexity in healthcare IT because there is a mix of modern and legacy systems and devices.

Broad attack surface

The variety of devices and environments provides a broad attack surface. There are also various environments, including on-premises users at clinics and hospitals and remote users.

Healthcare professionals frequently need to access data remotely, which increases the attack surface for cybercriminals. Remote access can introduce more risks and vulnerabilities.

Resource and cybersecurity awareness

Cybersecurity is not the primary business of healthcare providers. As such, there can often be resource and budget constraints in place that impact the ability of the healthcare organization to invest in cybersecurity.

The resource constraints can lead to a lack of proper cybersecurity tools, processes and dedicated personnel. It can also lead to a lack of cybersecurity awareness as there are no resources to help train and educate users.

Why healthcare data is valuable to hackers

Healthcare data is valuable to hackers for several reasons, including the following:

  • Comprehensive personal information. Healthcare patient records typically contain a significant amount of information about individuals. That information can include date of birth, payment methods, insurance data and sensitive medical conditions. Such PII can be used for identity theft and to potentially file fraudulent medical claims.
  • High black market value. Healthcare records on the black market are typically worth more than other types of personal data, such as credit card information.
  • Long-term utility. Healthcare data is valuable because it has long-term usefulness, making it different than a credit card where a user can cancel and replace a card. Stolen medical records contain permanent data points criminals can use over a longer period.
  • Blackmail and extortion. The data held in healthcare records can be sensitive health information that can be used for blackmail. For example, bad actors can threaten to release private medical details unless a ransom is paid.

Recent healthcare cybersecurity attacks

Cybersecurity and specifically ransomware attacks are all too common in the healthcare industry. In fact, according to the FBI's Internet Crime Complaint Center (IC3), healthcare and public health were the sectors most impacted by ransomware in 2023.

These attacks often led to significant disruptions in healthcare access and patient care, including postponed procedures, and according to at least one report, a patient death as well.

There are also significant financial costs associated with cybersecurity data breaches. The Cost of a Data Breach Report 2023 from IBM and the Ponemon Institute identified healthcare industry breaches as the most expensive at an average of $10.93 million vs an overall average cost of $4.45 million.

Following is an overview of recent healthcare cybersecurity attacks from the beginning of 2023:

February 2023

  • Perry Johnson & Associates was attacked by an attacker stealing data on 8.95 million individuals.
  • LockBit ransomware group breached Managed Care of North America, impacting 8.9 million people.

March 2023

  • A third party gained unauthorized access to PharMerica's systems, potentially exposing information on 5.8 million individuals.

April 2023

  • Harvard Pilgrim Health Care was the victim of a ransomware attack that impacted 2.55 million individuals.

July 2023

  • HCA Healthcare was breached impacting 11.27 million patients.

November 2023

  • Healthcare software company Welltok revealed that it was impacted by a vulnerability in Progress Software's MOVEit Transfer software, exposing information on 8.49 million individuals.

February 2024

  • The ransomware attack on Change Healthcare, a division of UnitedHealth Group, disrupted the largest healthcare payment system in the U.S. and affected billing, eligibility checks, prior authorization requests and prescription fulfillment. The exact number of impacted individuals has not been publicly disclosed as the company handles nearly a third of patient records in the U.S.

April 2024

  • A hacking incident at Kaiser Foundation Health Plan compromised the records of 13.4 million individuals.

May 2024

  • A ransomware attack hit Ascension Health which operates 140 hospitals across the U.S. The exact number of individuals directly impacted by the data breach has not been specified.

How healthcare facilities can protect their data

Data security should be a high priority with all the valuable data and risks that healthcare facilities and providers have.

While healthcare is under pressure and scrutiny from attackers, healthcare facilities can take steps to help prevent a data breach. Healthcare has some unique attributes, particularly the high volume of IoT devices, which can be used to help bolster security.

Here are some key practices that healthcare facilities can use to protect data:

  • Identify sensitive data. Healthcare organizations should take inventory of all data sets and locations of sensitive information to know where all this data is located.
  • Limit privileged access. Access control to sensitive data should be tightly controlled to limit access to only necessary situations.
  • Patch infrastructure routinely. Keeping software and systems updated with the latest security patches is crucial to limiting the risk of known vulnerabilities.
  • Secure network perimeter and remote access. Network perimeter security controls, such as firewalls, intrusion prevention/detection systems (IPS/IDS), and access control lists, can help identify and stop known threat attempts from outside the organization.
  • Encrypt data. Sensitive data should be encrypted where it is stored and while it is in transit moving from one point to another.
  • Use strong authentication. Healthcare facilities should enforce strong authentication policies including the use of multifactor authentication.
  • Segment networks. Microsegmentation, which creates separate isolated network zones, can limit lateral movement and prevent attackers from accessing additional systems and data if they successfully breach the perimeter.
  • Monitor infrastructure. Advanced network monitoring and threat detection tools, such as network detection and response platforms, can help detect and block intrusions, preventing data breaches from occurring or spreading.
  • Conduct cybersecurity training. Regular security awareness training for anyone who accesses and interacts with sensitive data is essential.
  • Create an incident response plan. These plans should include procedures for identifying, tracking and containing any security incidents. Employees should regularly practice these plans.

By implementing these best practices, healthcare organizations can enhance their data security posture, reduce the risk of data breaches and protect sensitive information from unauthorized access, accidental loss, or corruption.

Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.

Next Steps

The history and evolution of ransomware

Dig Deeper on Security