Ransomware attacks against healthcare nearly doubled in 2023, according to new research. While some experts are calling for governments to impose a coordinated ban on ransomware payments, such actions might not successfully address the issue for the healthcare sector, specifically.
Ransomware Skyrockets
Throughout last year, more than 2,200 hospitals, schools and governments were hit with ransomware attacks, according to Emsisoft.
Forty-six hospital systems, comprising a total of 141 hospitals, were hit with ransomware attacks last year. That’s a sharp increase from the 25 hospital system attacks in 2022 and 27 attacks in 2021.
For the healthcare sector, ransomware attacks can be devastating. In August 2023, a ransomware attack disrupted operations for a health system with multiple hospitals and clinics in multiple states. The hospital system was forced to temporarily take their technology offline, shut down emergency rooms and urgent care centers, cancel elective surgeries, suspend routine care, and reroute ambulance services to other hospitals.
StatNews research notes that during the first week of a ransomware attack, hospital patient volume falls by roughly 20% on average. Revenue plummets by the same amount or more, with a 40% decrease in the emergency setting.
More importantly, ransomware represents a massive danger to patients by disrupting access to critical care medical staff’s ability to view patient medications, lab and imaging results, and more.
Research from the National Library of Medicine found that ransomware can inadvertently impact other healthcare facilities that are near to the ones being targeted. If a hospital needs to shut down due to ransomware and patients are diverted to another facility, that facility may struggle to address the overflow of patients, putting many at risk.
Banning Ransomware Payments
To thwart the ransomware epidemic, Emsisoft recommends that governments ban payments to attackers. Given that ransomware is essentially a profit-driven enterprise, the best option may be to take profit out of the equation.
Allan Liska, a threat analyst at Recorded Future, once reluctant to the idea of a ransomware payment ban, now sees it as the only option. He noted that not only are attacks increasing, but they are becoming more aggressive in nature and law enforcement can’t keep up. “A ban on ransom payments will be painful and, if history is any guide, will likely lead to a short-term increase in ransomware attacks, but it seems like this is the only solution that has a chance of long term success at this point,” he said.
Emsisoft believes that a ban would force hackers to resort to less disruptive methods of cybercrime. That might mean an uptick in other types of cyberattacks, however, prime targets like healthcare already incur multiple types of attacks on a daily basis. Therefore, there is nothing to indicate that attacks other than ransomware would surge. And even if they did, those attacks may be far less disruptive to critical services.
But a ban would create additional complications. It might require a waiver that would still allow organizations that provide critical services (like healthcare providers) to pay if they choose to. Additionally, a ban for private companies would be difficult to enforce. It could result in even fewer organizations reporting ransomware attacks and making payments in secret—which is already a major problem.
Furthermore, there is another issue here for healthcare providers that a ban would not address. If ransomware attackers have access to ePHI, they can do whatever they want with it. And in the case of attacks against healthcare, there is more than one way to make a profit. Healthcare records are sold on the dark web for $1,000 a piece, on average.
For example, early last year, a ransomware-as-a-service (RaaS) group attacked a healthcare system in Eastern Pennsylvania. The system refused to pay the ransom, and the attackers posted patient information on the dark web.
The damage to patients is obvious, but this kind of nefarious activity also opens healthcare providers up to HIPAA lawsuits. Lastly, even if the provider does pay the ransom, they have no guarantee of getting their data back. Research by Veeam noted that 19% of organizations that paid ransomware attackers in 2022 were unable to recover their data.
Proactively Addressing Ransomware
Whether a ban on ransomware payments comes to fruition, healthcare providers must be proactive in protecting themselves against ransomware and other threats. And that includes providers of all sizes. Make no mistake—just because large hospital systems have been targeted frequently, that doesn’t mean smaller practices will fly under the radar. Attacks against small and midsize practices can be very profitable for cybercriminals and are often far too easy to execute.
For a full checklist on how providers can protect themselves and their patients’ data, be sure to download our two-part e-book, Enhancing Cybersecurity at Healthcare Practices. We provide you with the tools you need to safeguard your practice against the current ransomware surge, as well as other prevalent threats to the healthcare sector.
Download Part 1: Protect Against Current and Emerging Threats
Download Part 2: Protecting Systems and Data