Global ransomware attacks jumped 68% to reach a record high in 2023 — and the pace isn’t expected to slow down. Businesses of all shapes and sizes and in all sectors are vulnerable to cyber-attacks, but the healthcare industry is a frequent victim. The most common cyber threat to healthcare organizations remains phishing attacks, yet ransomware is also on the rise. The sector saw nearly 200 ransomware attacks in 2023, according to data collected from ransomware leak sites.
Healthcare an Attractive Target
For the past several years, threat actors have prioritized attacks on healthcare providers. Protected health information (PHI) is more valuable than other types of data, and bad actors recognize the potential for disruption to patient care when they deploy ransomware in healthcare organizations. These factors can increase the likelihood of getting the ransom paid.
A recent, highly publicized attack on a large healthcare technology organization was perpetrated by the notorious ransomware gang ALPHV/BlackCat, which the FBI has cited as the second most prolific ransomware-as-a-service variant in the world. In December, the FBI temporarily disrupted the gang’s efforts by seizing several websites operated by the group and offering a decryption tool to their victims.
That didn’t seem to deter ALPHV/BlackCat from targeting this large healthcare organization. An affiliate of the group allegedly stole four terabytes of data and claims it accessed data from numerous customers as well.
Vendor Breach Cyber Insurance Response
While the overall cause of cyber insurance claims in the healthcare sector is generally on par with other sectors, claims resulting from a vendor breach in 2023 far exceeded other industries. The explanation may be straightforward — healthcare providers are required to report data breaches more than other industries due to US regulations regarding PHI.
For example, a hospital uses a software vendor to transcribe all doctor voice note recordings. Patient information is transmitted to the software vendor and stored for a period of time. If that software vendor experiences a cyber-attack that compromises the patient data, the vendor is obligated to notify the hospital, which in turn might be obligated to notify its patients (absent an agreement to the contrary).
If the hospital has cyber insurance, it would ideally notify its carrier who can connect the hospital with counsel experienced in the nuances of a healthcare data breach response. Depending on the coverage available under the policy, the insurance carrier may also assist the hospital with sending out notifications, setting up a call center, and offering credit monitoring if appropriate.
Time for a Systemic Overhaul
The healthcare industry is deeply interconnected and co-dependent. As recently observed, an attack on one healthcare company set off a chain reaction across the entire healthcare ecosystem. According to an American Hospital Association survey, 94% of hospitals are experiencing a financial impact from the cyber-attack, with more than half reporting “significant or serious” impact.
To help prevent future catastrophic events, the industry should address an overreliance on a handful of vendors and meet recognized cybersecurity standards. Accomplishing this will be no small feat, and a public-private sector collaboration could be a solution.
- In December 2023, the US Department of Health and Human Services (HHS) released a concept paper outlining the department’s cybersecurity strategy for the industry; this builds on the National Cybersecurity Strategy outlined by President Biden and introduces healthcare-specific cybersecurity goals to increase accountability within the sector.
- In late March 2024, HHS announced it is creating a “one-stop shop” for cyber at the department’s Administration for Strategic Preparedness and Response.
- In February 2024, the World Economic Forum advised that “a collaborative and systemic approach within the ecosystem is key — cyber resilience must be viewed beyond just the confines of any one organization… Building cyber resilience requires not only protecting individual entities but also ensuring the robustness of the entire ecosystem to withstand and recover from cyber incidents.”
But, sweeping systemic changes won’t happen overnight.
In the meantime, what can healthcare organizations do to mitigate risk?
Establish the Right Security Controls
While the industry grapples with these attacks, they are following the advice of cybersecurity experts to step up their cyber hygiene. Industry-wide, healthcare organizations should implement:
- Multi-factor authentication on remote access, admin accounts and email
- Resilient backup strategies
- Patch and update management
- Managed detection and response (MDR) tools
- An incident response plan
How to Strengthen Cyber Resilience in Healthcare
Cyber-attacks, including ransomware attacks, aren’t likely to stop. Healthcare organizations must exhibit cyber resilience.
Third-Party Risk Management
Recent high-profile ransomware attacks provide an example of the impact third parties have on business resilience. Or rather, how quickly any organization can suffer if a critical vendor is offline.
Third-party risk management helps organizations assess and identify risks associated with third-party vendors so there’s a plan in place before a critical partner is breached.
Business Continuity and Disaster Recovery Plans
The actions an organization takes in the first 48 hours after a business disruption dictate the speed and effectiveness of resuming business operations. To make effective and quick mobilization possible, organizations should have a business continuity and disaster recovery (BCDR) strategy.
This doesn’t just address their own systems, but also their dependency on vendors. Organizing a BCDR can help facilitate conversations between business partners and IT to address critical vendors, if any, and contingency plans if they were to go offline.
Revisit Vendor Contracts and Business Associate Agreements
Avoid letting vendor contracts or business associate agreements (BAAs) go untouched for too long, especially with the frequency of mergers and acquisitions in healthcare. As part of an organization’s third-party risk management, they should regularly make sure contracts are up to date, negotiate favorable terms when possible and note any provisions related to a cyber-attack.
Healthcare entities have an obligation to continuously evaluate any risk they have inside and outside the organization and should put in place cybersecurity controls and best practices to mitigate that risk.