Small-Sized and Medium-Sized Healthcare Providers Most Likely to Be Attacked with Ransomware

Ransomware gangs are concentrating their attacks on smaller healthcare providers and clinics, according to a new report from RiskIQ. Healthcare providers with fewer than 500 employees are key targets for the gangs, with these organizations accounting for 70% of all successful healthcare ransomware attacks since 2016.

RiskIQ’s analysis of 127 healthcare ransomware attacks revealed there has been a 35% increase in attacks between 2016 and 2019. Hospitals and healthcare centers accounted for 51% of ransomware attacks, 24% of attacks were on medical practices, with 17% on health and wellness centers.

The cybersecurity defenses at smaller healthcare organizations are likely to be far less effective than those at larger healthcare systems. RiskIQ reports that 85% of small- and medium-sized hospitals do not have a qualified IT security person on staff, so there is a higher chance of gaps in security being left unaddressed. Ransom payments are more likely to be paid to avoid the costly downtime that is often caused by an attack. It can often take several weeks for an organization to fully recover when the ransom is not paid.

A Perfect Storm of New Targets and Methods

The RiskIQ intelligence brief – Ransomware in the Health Sector 2020 – says there has been “a perfect storm of new targets and methods,” due to the digital revolution in healthcare, but recent events have left the healthcare industry even more exposed to attack. The 2019 Novel Coronavirus pandemic has forced healthcare providers to make major changes. “Almost overnight, workforces and business operations decentralized and were flung around the world, widening the protection gaps and decreasing visibility into their attack surfaces,” explained RiskIQ.

Some ransomware groups have claimed they will not attack healthcare organizations during the COVID-19 public health emergency, but there are some groups that are making no such allowances. Attacks have become easier and they are taking advantage. “Cybercriminals are capitalizing on coronavirus concerns, which has led to a spike in malicious online activity that we assess will increasingly impact healthcare facilities and COVID-19 responders.”

Paying the Ransom Does Not Guarantee Recovery

16% of healthcare victims have reported they paid the ransom to obtain the keys to unlock their files. The report suggests the average ransom payment in those attacks was $59,000. While paying the ransom is an option, it is discouraged by the FBI as it just encourages further attacks and there is no guarantee that files can be recovered. The RiskIQ report cites a Wall Street Journal article that suggests fewer than 50% of the decryption keys are effective, so some data loss is inevitable even if the ransom is paid. There have also been cases where ransom payments have been made only for the attackers to then demand a further payment to provide the keys to unlock encryption. Paying a ransom also sends a message to other attackers that payment is likely if they are attacked, so the organization may be targeted again by the same or different threat actors.

Ransomware gangs are using a variety of methods to gain access to healthcare networks to deploy ransomware. Spam email is commonly used to trick healthcare employees into clicking malicious links that trigger a ransomware download or opening malicious email attachments containing ransomware downloaders. Vulnerabilities in software are commonly exploited, with many attacks taking advantage of vulnerabilities in Remote Desktop Protocol. The high number of workers now accessing healthcare networks remotely using Virtual Private Networks (VPNs) has seen VPN vulnerabilities targeted by ransomware gangs. Several vulnerabilities have been identified in VPN infrastructure over the past year, and while patches have been released to correct flaws, they are often not applied.

Steps to Take to Reduce Risk and Prevent Ransomware Attacks

The advice to all organizations has long been to ensure backups are regularly made to allow files to be recovered in the event of an attack, but having backups is no guarantee that they can be used to restore data. Several threat groups have been conducting manual ransomware attacks and spend long periods of time with network access before deploying ransomware. In addition to moving laterally and gaining access to large parts of the network, they have also been able to insert their ransomware into backup systems to ensure that backups are also encrypted.

RiskIQ advises healthcare organizations to ensure backups are created often and stored offline, or at least on different networks. Encryption of stored data is also important. There has been an increase in data theft prior to ransomware deployment. If data is encrypted, even if it is stolen it will ensure that the attackers cannot access the data.

RiskIQ emphasizes the importance for having an incident response plan, as this will help ensure attacks can be mitigated quickly to minimize the damage caused. Prompt patching is also essential. The importance of patching cannot be overstated, warns RiskIQ.

It is especially important during the COVID-19 crisis to ensure all digital assets that connect to the organization from outside the protection of the firewall are tracked and protected, as attackers are actively searching for these devices. they often provide an easy entry point to healthcare networks.

It is also important to prepare the workforce and provide training to help employees identify threats such as phishing attacks. Phishing simulation exercises can help to reduce susceptibility to ransomware attacks. IT teams should also keep up to date on the latest attack trends, as they are constantly changing.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.