The Rising Threat of Ransomware Attacks on Hospitals

In 2019, Verizon reported that ransomware already accounted for over 70% of successful cyber attacks on healthcare organizations. Since 2020, there’s been a 45% increase in attacks against healthcare providers. Beyond the financial impact to hospitals, the resulting device and system outages have had devastating consequences for patients — diverting ambulances to faraway hospitals, relocating at-risk patients, and rescheduling essential surgeries.

This guide explains how hospitals can protect themselves and their patients from the impact of cyber attacks, with staff education, thoughtful planning, threat detection, and incident response capabilities. Read on to learn more about the ransomware threats hospitals face and what can be done to prevent and overcome them.

How ransomware attacks have impacted hospitals

The frequency and sophistication of ransomware attacks have dramatically increased over the past several years. Originally, attackers used what’s known as a “spray and pray” method: they would send mass email campaigns and hope that at least a few recipients would mistakenly open and download malware.

But in recent years, the strategy behind launching ransomware has evolved into a more targeted and stealthy operation. Today, cyberattackers prey on users’ psychology, posing as legitimate contacts at reputable organizations asking urgently for financial information, passwords, or other confidential data.

Hospitals are a prime target for ransomware attacks. Attackers know that hospitals collect and store sensitive information such as protected health information (PHI) and will do anything to minimize disruption in service and impact on patient safety. The COVID-19 pandemic exacerbated this problem. COVID pushed hospitals over capacity with record-setting admissions. With more to care for, employees were more likely to fall for ransomware traps.

On top of that, budget cuts have limited the amount of cybersecurity professionals on staff. This not only impacted the effectiveness of any cybersecurity programs in place, it also resulted in many organizations that were slower to identify and respond to developing threats. 

Because of the imminent threat to patient safety, many organizations felt obligated to pay ransoms immediately. But this led to dangerous consequences. When hospitals paid a ransom, attackers would just ask for even more money, putting even more stress on healthcare systems. While insurance limited the impacts of high ransoms on hospitals, payouts often weren’t as high as organizations expected.

Allocating hospitals’ limited budget toward cybersecurity best practices and taking as many precautions as possible can help hospitals keep their patients, data, and organizations protected.

Stopping and preventing ransomware attacks

Thankfully, there are several proactive steps hospitals can take to prevent ransomware attacks and reduce impact to patients and the organization when attacks do happen. These steps include:

• Staff awareness: It’s critical to train hospital workers to recognize the telltale signs of phishing and other malicious emails. Typically, these emails contain an urgent request for confidential information or threaten to shut down a user’s account unless they share their password. Using real-life phishing examples in security awareness programs can bring the gravity of attacks to life and help employees identify and report them sooner.
• Collaboration with vendors: Hospitals can improve their cyber defenses by participating in public-private partnerships and other collaborative cybersecurity efforts. For example, the US federal government is willing and able to assist hospitals’ recovery after a cyber attack. Their rapid-response Cyber Action Team helps hospital staff assess and contain attacks, and  advises them on steps to recovery. The FBI updates its investigative techniques and analytic tools with every ransomware recovery, making them poised to help when attacks occur. But the Health and Human Services-sponsored Health Care Industry Cyber Security Task Force has urged hospitals to take even earlier action, and work with private vendors to bolster their cybersecurity.
• IoT and IoMT security: IoT and IoMT devices store and transmit some of hospitals most sensitive data in healthcare environments, and unfortunately, many healthcare organizations aren’t aware of all the devices connected to their networks. Connected medical devices such as infusion pumps, patient monitors, and MRI machines can be vulnerable and also impacted by the security of other connected devices such as security cameras, smart speakers, and even connected vending machines that might share the same network.. And the IoT and IoMT devices organizations are aware  of may still have risk such as default passwords, unpatched software, or unnecessary administrative access, which makes them especially prone to compromise. Maintaining an accurate, up-to-date asset inventory and implementing strict policies to control IoT and IoMT devices can curb the chances of ransomware attacks.
• Network segmentation: Applying network segmentation is a proactive way to reduce the attack surface and “blast radius” or the ability of an attack to spread. If ransomware is found on one part of a hospital’s network, it’s likely that it has infiltrated other parts of the network, causing a cascade of problems for the organization such as impacting services and the safety of patients. Network segmentation can help hospitals avoid this situation by separating networks into “sub-networks” or segments to restrict the movement of an attacker or spread of an attack.  Segmentation can also be used to respond to an attack by quarantining or isolating compromised devices as soon as they are detected to prevent further spread.

Platforms like Ordr are specifically designed to protect organizations such as hospitals from the impact of  ransomware attacks, by identifying IoT, IoMT, OT, and IT devices that may be vulnerable to an attack, detecting anomalous behavior that may be an indicator of an attack, and automating the creation of policy to respond to an incident or proactively improve security with segmentation.

What should hospitals do if they’re attacked?

Ransomware attacks are evolving at an alarming rate, and the unfortunate reality is that hospitals continue to be a primary target. Dedicating time and effort to preparation is key to a swift and effective response. Some ways to prepare include:

• Define a ransomware response plan: Having a well-documented plan can help hospitals contain and mitigate the effects of an attack. While security and IT teams may spearhead this effort, other departments should be involved in the planning process. Response plans should include sections related to legal, PR/communications, operations, finance, and human resources and everyone involved should know what to do when an incident occurs. That means hospitals must make time to practice their cybersecurity plan, just as they would for any other catastrophic event.
• Work with local authorities: Attackers don’t always behave as expected — even when hospitals do pay a ransom. For that reason, the federal government recommends that hospitals do not give in to ransoms. Instead, the recommendation is for hospitals to familiarize themselves with their local FBI and DHS offices and prepare to reach out to those agencies during cyber attacks. Some hospitals may hesitate to contact these groups for fear of hefty compliance fines for compromising patient data, but safe harbor laws protect hospitals in the event of an attack.
• Consider a cybersecurity vendor: The department of Health and Human Services (HHS) encourages hospitals to consider working with vendors who can further bolster their cybersecurity. Cybersecurity platforms can provide identification of vulnerabilities, detection of attacks, response capabilities, and may include employee training and awareness capabilities to strengthen hospitals’ first line of defense.

Hospitals should be able to instantly detect and address any suspicious behavior on any device connected to their network. They should also take measures to identify devices that may need updates to configurations, patches to address vulnerabilities, or upgrades for outdated operating systems and software to plug up existing security gaps before they are exploited. The platform they use should also be able to aid in the response to an attack by automating policy and integrating with security and network products for enforcement.

Of course, not all vendors are created equal. Some are optimized for healthcare environments , monitoring all IoT, IoMT, and OT devices across the whole environment, laying the foundation for a comprehensive, real-time threat response strategy. Unlike other cybersecurity platforms, Ordr takes a “whole hospital” approach with capabilities that span across IoT, IoMT, OT, and IT devices. 

Monitor and minimize your attack surface

The frequency of cyberattacks on hospitals and health systems more than doubled in the last five years, exposing the health information of nearly 42 million patients. And unfortunately, ransomware attacks will likely continue to target healthcare organizations into the future. 

The good news is that hospitals can avoid detrimental consequences with the right plan, tools, and prevention measures. Proper staff education, vendor collaboration, segmentation, and sound cybersecurity plans contribute to a healthy security posture. But these methods can only offer so much protection. Hospitals need to gain visibility into their security gaps, clinical risks, and anomalous behavior — cybersecurity practices that can’t be achieved manually.

Ordr is an AI-powered platform built to keep hospitals and their patients safe by providing visibility and security of  every connected device across the whole hospital. Ordr also integrates with a hospital’s existing security, network, and IT infrastructure enabling hospitals to maintain a comprehensive view of risk and focus efforts to respond and reduce threats. And because connected devices in hospitals are critical to the safety of patients, Ordr’s agentless, passive solution will provide insights and protection without impacting services.