Topics in this article

Ransomware attacks skyrocketed during the pandemic

Barracuda detected a 64% increase in such attacks between August 2020 and July 2021, and many healthcare institutions found themselves in the line of fire. If a database containing patient information or medical devices is subjected to an attack, medical treatments will be interrupted, and some even suspended. It can literally be a matter of life and death. And sadly, that’s why ransomware threat actors are now attacking more hospitals, just to apply that bit of extra pressure as part of their plot to seize ransoms.

In September 2021, Censinet and the Ponemon Institute published “The Impact of Ransomware on Healthcare During COVID-19 and Beyond” report, based on their interviews with some 600 IT and IT security professionals working in the healthcare industry. The report shares alarming survey results that confirm our worst fears: ransomware attacks can be a life-or-death matter.

The report statistically proves the devastating effects of ransomware attacks on medical services. Some 43% of respondents revealed that their organization was hit by a ransomware attack. Moreover, 71% said such incidents resulted in patients requiring an extended period of care in their facility, while 70% reported delays in procedures and tests. More concerning still, 36% said their patients faced the possibility of increased complications from medical procedures, and some 22% reported elevated mortality rates. 

In July 2019, a baby girl was born with brain damage due to the umbilical cord wrapping around her neck at the Springhill Medical Center in Alabama. The hospital had been hit by a ransomware attack that prevented medical staff from accessing medical equipment and health records.

Healthcare professionals holding a tablet

The baby passed away nine months later. Her mother filed a lawsuit against the hospital, accusing the Center of not doing enough to prevent the ransomware attack and trying to hide its severity. The hospital allegedly failed to notify the mother about the hack and resulting IT outage. She argued that she would have chosen a different hospital for delivery if the facility had informed her of the cyberattack. If the allegation is proven in court, this will be the first confirmed death resulting from a ransomware attack.

Lawsuit against the hospital

In response to the growing scourge of ransomware in the industry, the healthcare sector has been enhancing the efficiency of its operations by adopting more connected devices. The market size of the global healthcare internet of things (IoT) is expected to increase from USD 60.83 billion in 2019 to USD 260.75 billion by 2027. Yet, there’s also a growing risk of shadow IT in the realm of IoT. Some departments purchase devices and connect them to the office network without talking to the IT team. The invisibility of those shadow IT devices makes it difficult for the IT and cybersecurity teams to protect their facility from cyberattacks. Medigate and CrowdStrike in fact revealed in November 2021 that approximately 82% of health systems had experienced IoT cyberattack and 34% of them were ransomware over the last 18 months.

As ransomware attacks on healthcare are on the rise, it’s vital to raise cybersecurity awareness among all stakeholders, increase the visibility of cyber-risks (including IoT-related ones) and implement network segmentation to minimize damages by cyberattacks. Yet, healthcare institutions currently only spend 3–4% of their IT budgets on cybersecurity, compared to 6–14% at financial institutions.

Information-sharing is indispensable for cyber-risk management. A positive development in this effort is the establishment of the Health Information Sharing and Analysis Center (H-ISAC) – a US-based global non-profit organization of healthcare institutions whose mission is to share cyberthreat intelligence and best practices.

Since IT is part of medical services in our digital world, cybersecurity should be integrated into the business strategy and risk management plan of every player in the healthcare sector. Healthcare business executives should ensure their IT and cybersecurity teams have full visibility of which IoT devices need to be protected and patched. And while we must accept that 100% security is not possible, cyberthreat intelligence can reinvigorate detection and response capabilities. In addition, regular data backups, including offline ones, are crucial to a speedy recovery in the case of a devastating ransomware attack.

At NTT, we also advise our clients to revisit their risk management strategies and ensure they include an incident response plan and regular cyber-exercises that put business continuity capabilities to the test. To contextualize the importance of such focus and effort, NTT Security, now called NTT Ltd., discovered in 2019 that only 52% of organizations have such a plan. Without an incident response plan, it’s simply impossible to react to a crisis in a timely manner and have strategic communications with key stakeholders in the event of a catastrophe.

The past two years have brought home to all of us the value and criticality of the care offered to us by our healthcare community and the infrastructure upon which it depends. Robust cybersecurity is an avenue to ensuring that healthcare service providers deliver on their mission and pledge to protect every patient’s life.

If you’d like help building out your incident response capabilities in support of better patient care and resiliency as a healthcare provider, reach out to us today.