Hospitals are a safe bet for prowling ransomware gangs

Extortion attacks against healthcare organizations have almost doubled. Since hospitals are most likely to pay the ransom, that's hardly a surprise.

Two-thirds of healthcare organizations were hit with a ransomware attack last year, a recent survey by cybersecurity firm Sophos shows. The number of affected organizations in the field has almost doubled from 34% in 2020 to 66% last year.

"The data that healthcare organizations harness is extremely sensitive and valuable, which makes it very attractive to attackers," John Shier, a senior security expert at Sophos, said.

Researchers claim that the increasing number of attacks against the sector signals the growing success of the ransomware-as-a-service (RaaS) model. RaaS significantly reduces entry barriers for cybercriminals as they can purchase ready-to-use malware.

Healthcare institutions are also a 'safe bet' for cybercriminals. For example, hospitals cannot afford downtime due to the sensitive nature of their operation and are likely to pay the ransom.

Sophos' survey confirms this, as organizations in the healthcare sector are most likely (61%) to pay the ransom demand. In comparison, 46% of organizations opt to meet criminals' demands, on average.

At the same time, the amount healthcare institutions pay to cybercriminals is the lowest. On average, institutions within the company pay around $197,000, while the global average stands at $812,000 across all sectors.

"These low ransom payments are likely driven by the constrained finances of many healthcare organizations, particularly those in the public sector. They simply don't have more money for the attackers to squeeze out of them," reads the report.

The show must go on

While comparatively healthcare institutions pay the lowest ransom, downtime costs within the sector are among the highest, a contributing factor to their eagerness to pay the ransom in the first place.

"[...] the need for efficient and widespread access to this type of data means that typical two-factor authentication and zero trust defense tactics aren't always feasible. This leaves healthcare organizations particularly vulnerable, and when hit, they may opt to pay a ransom to keep pertinent, often lifesaving, patient data accessible." Shier said.

Image by Shutterstock.

According to the report, 94% of healthcare organizations hit by ransomware in the last year said significant attacks impacted their ability to operate. Not only do disruptions hinder the vital role of patient care, but it also adds to remediation costs.

While across all sectors, the average cost to an organization to rectify the impact of ransomware attacks went down, attack remediation costs in the healthcare sector grew from $1.27 million in 2020 to $1.85 million in 2021.

"Lack of cybersecurity expertise, proliferation of medical IoT devices, vulnerable legacy systems, and the very nature of 24/7 operations continue to affect the healthcare sector, driving up overall remediation costs," reads the report.

Risky business

The report claims that ransomware attacks against healthcare have become so frequent that some insurers either refuse to take in hospitals or leave the market altogether.

93% of healthcare institutions with cyber insurance said the process for securing cover had changed over the last year, with cyber insurance getting harder to get. Almost half said there are now fewer companies that offer cyber insurance.

"As a result, some insurance providers have left the market as it has simply become unprofitable for them. Those that remain are looking to reduce risk and exposure. They're also pushing up prices considerably," reads the report.