No relief in sight for ransomware attacks on hospitals

The burden on hospitals

Ransomware attacks come with heavy expenses, as victims frequently experience company downtime where IT and/or power restoration may be required. It can be especially painful for healthcare organizations. Sophos' study showed recovery on average lasted one week and cost healthcare providers an average of $1.85 million in 2022.

Ransom payments are an additional expense for companies. Sophos' study found the healthcare sector paid a ransom in about 61% of incidents, up from 34% in 2020 and the highest rate of any vertical industry in its 2022 study.

Mitchelson said the payment rate is typically high because U.S. healthcare organizations primarily operate within the private sector, and executive teams can make their own decision to pay a demanded ransom. But in Europe, he said, many healthcare organizations are publicly funded and government operated and, therefore, are much less likely to pay. The situation is like the education sector in the U.S. For example, K-12 schools rarely pay a ransom because they function under the supervision of local governments and require approval to use taxpayer money for such expenditures.

Paying threat actors not only perpetuates a cycle of ransomware targeting on healthcare but also funds their operations, which can improve the cybercrime tools and attacking strategy.

"It tells them that the sector pays, so the chance of them attacking the sector increases," Mitchelson said. "They're able to use the money to invest in developing better ransomware kits that they can deploy or [developing] better ransomware as a service to deliver the payloads or just [hiring] more attackers."

Therefore, it's not ideal for healthcare organizations to pay, especially with the additional and inevitable remediation and recovery costs. However, without the proper safeguards and best practices, such as regularly patching systems, employing effective backups and establishing an incident response procedure, organizations can find themselves in a quandary. The pressure of quickly recovering from an attack and resuming patient care often means paying a ransom.

Compounding the problem for U.S. hospitals is that most do not have large cybersecurity budgets. T.J. Ramsey, director of threat operations at Fortified Health Security, said investing in quality medical equipment and assistance typically offsets any urgency for healthcare organizations to update systems and create backups. Healthcare systems do not have the funding to heavily invest in these cybersecurity defenses.

"Healthcare in general -- even major hospitals -- often operate on a budget of 2 to 5% in total of their net patient revenue," Ramsey said. "Patient care, preservation of human life and the delivery of medical services is going to be the number one concern for anybody."

Patient information and health at risk

Deficiencies in cybersecurity not only rack up costs for health centers, but they also lead to compromises of patient data and personal health information (PHI). This has become increasingly common over recent years.

Fortified Health Security found 51.4 million records were breached in 2022, an increase from 49.4 million in 2021.

Jama Health Forum conducted a study on 374 ransomware attacks on healthcare delivery organizations from 2016 to 2021. It found that threat actors exposed the PHI of more patients as time progressed. To make matters worse, the study showed the likelihood in restoring encrypted or stolen data from backups decreased over that period. On average, only one out of five organizations could restore their data from backups.

Some of these attacks impacted hundreds of thousands of patients. In April, Yuma Regional Medical Center in Arizona suffered a ransomware attack in which threat actors obtained the PHI of 737,448 patients; files were encrypted and exfiltrated from systems.

CommonSpirit Health, an umbrella organization with 150 hospitals and 2,000 healthcare sites, also took a big hit last fall when a ransomware attack compromised PHI of 623,774 past and current patients. The ransomware attack on CommonSpirit caused procedural disruptions like inaccessibility to patient portals, cancellation of appointments and redirection of ambulances to other hospitals.

More than that, some health systems argue that attacks are directly causing a loss of human life. According to the Ponemon Institute, 22% of healthcare organizations claim that ransomware attacks led to an increase in patient mortality rates in 2022. While some patient deaths have resulted in legal action and law enforcement investigations, there are no confirmed cases as of yet that directly attribute fatalities to an attack.

Are ransomware actors apologetic?

The dire impacts of ransomware sometimes cause threat groups to retreat in the name of reputability. Last December, ransomware group LockBit hacked into SickKids, a children's hospital in Canada, which delayed disclosure of lab and imaging results for patients and families resulted.

Two days later, LockBit apologized to the hospital, blaming the attack on a rogue affiliate. The group returned the decryption key at no cost.

Like many other security professionals, Ramsey found the apology insincere. "You have to remember we're dealing with a criminal element here," said Ramsey. "They might feign apologies or [play] to their emotional side there. We're a caring species; we, by default, want to be helpful to one another. But at the same time, you're dealing with the bad guys here."

Other ransomware gangs have apologized for their invasions in the past. In 2021, ransomware gang Conti attacked Ireland's public health system, compromising 54 hospitals and 4,000 other healthcare locations. Amid intense law enforcement pressure, the group provided the decryption key for free.

Despite that gesture, the now-defunct Conti group was known to attack healthcare systems. Jeremy Kennelly, Mandiant senior manager of financial crimes analysis at Google Cloud, said that one third of publicized attacks by UNC2727, a cybercrime group associated with Conti ransomware, were against the healthcare sector. Even with the occasional apologies and amends, there are currently no indications that ransomware groups will cease attacks on healthcare organizations.

Will Hive's defeat have an impact?

In January, the FBI announced that it had infiltrated the Hive ransomware gang's network and obtain decryption keys for hundreds of victims, saving them $130 million in ransom payments. Authorities also seized the gang's infrastructure and took down its dark web site.

Hive ransomware, notorious for their attacks on healthcare, was first observed in June 2021. Since then, Hive has affected over 1,500 victims globally and accumulated $100 million in ransom exchanges. In December, Hive claimed responsibility for a ransomware attack on Lake Charles Memorial Health System, which compromised nearly 270,000 patient records.

While it represents a major victory in the fight against ransomware, the Hive takedown may not have much of an impact on the overall threat landscape. Threat researchers believe the upward trend of attacks will only continue to grow this year. In 2023, there have already been several ransomware attacks on healthcare organizations, including a recent attack on Atlantic General Hospital in Maryland.

In addition, the ransomware as a service (RaaS) market has demonstrated resilience over the years, with many operators shutting down their sites and later forming new RaaS gangs with different names but similar code and tactics. Affiliate hackers working for Hive may simply shift to Vice Society, Lock Bin or another competing RaaS.

"It's just causing a small amount of disruption until they all continue and go again," Mitchelson said. "There are clear trends that there are more and more criminals within these gangs. The numbers are actually going up, and the groups are thriving despite us taking them down."