Ransomware 101 For Healthcare

Managing Director of Technology at Health2047 and pioneering expert on digital transformation in the healthcare industry.

Digital Cloud Security Background Concept


Critical healthcare systems are now under constant threat of cybersecurity attacks.

The statistics are staggering: According to U.S. Department of Health and Human Services data, the number of healthcare breaches in the first half of this year is nearly double that of the same period last year. And the per-incident cost of a healthcare data breach has soared to $10.10 million, making it the top industry for most-expensive breach costs.

So why is healthcare the No. 1 target of constant, concerted cybersecurity threats? Three factors play starring roles:

• The breadth and depth of data held in patient records.

• The potential for impact on complex interconnected IT infrastructures and service delivery.

• The reputational damage caused by a successful breach.

All of these make healthcare easy pickings for a particular flavor of cyberthreat motivated by greed and growing in prevalence: ransomware. Ransomware attacks on healthcare increased by 94% globally last year, so it’s important to ensure that the sector’s leaders and stakeholders understand the basics.


What Is Ransomware?

Ransomware is a type of software used to steal, block or disable access to critical systems and/or data until a ransom (generally a sum of money) is paid. Perhaps you heard about a $1.1M UCSF Medical School payout to hackers in 2020? Or a reported death the same year in Germany when a hospital’s infected IT system disrupted its emergency services? Or a cyberattack that forced an Arizona hospital offline in April? Or one that crippled Costa Rica’s national health platform in May? Those were all ransomware incidents.

How Does Ransomware Work?

For an attack to occur, someone or something first gains access to the system, often via one device. This access allows for a piece of software to be installed. The rogue software then takes control of, collects, scrambles or conceals the user’s and/or some or all of a system’s files.

The cyber culprit generally promises to supply the key to the files once a payment is made. Payment is often directed to be made to a bank account or crypto wallet.

Ransomware variations include:

• Leakware: Threatens to distribute sensitive information to the general public, press, business competitors, the dark web or some other potentially damaging party unless payment is made. This is also known as extortionware or doxware (from the term “doxing,” which means releasing confidential information on the internet).

• Locker Ransomware: Locks systems or devices from performing basic functions until payment is made.

• Crypto Ransomware: Encrypts important data until payment is made.

Related cyberthreat variations include:

• Scareware: Poses as a legitimate alert claiming to detect a virus or malfunction and tricks people into visiting infected websites or downloading malicious software that will supply access to the computing device or system.

• Ransomware-As-A-Service (RaaS): Attackers simply pay a fee and/or agree on a commission rate to login to an existing attack platform, select targets, conduct hacks and receive payments all through one interface.

Ransomware Targets

Attackers select their targets based on a number of factors, but anyone can be a target.

Weak targets include individuals or organizations with suboptimal cyber defenses or a specific industry perceived to have poor or outdated cybersecurity. Companies and institutions that have the funds to pay are also obvious targets and are known to pay out of necessity.

Ransomware prey naturally includes any organization that possesses sensitive information or data that could be damaging if released.

You can start to see why healthcare entities make good targets. Their data is often confidential, they utilize a lot of legacy IT infrastructure and they need to conduct massive amounts of time-sensitive file sharing—which provides attackers many exploitable endpoints.

How Ransomware Spreads

Phishing emails are the most common cause of ransom attacks. Messages from someone posing as a legitimate contact or institution lure targets into clicking on links to spoofed websites, downloading malware and/or providing sensitive data such as user identification and passwords. The information is then used to access the user’s device, network and/or important accounts.

How To Prevent Ransomware Attacks

Good cybersecurity hygiene is the best defense against ransomware attacks. At minimum, healthcare organizations should follow U.S. Cybersecurity & Infrastructure Security Agency (CISA) guidelines:

• Implement multi-factor authentication.

• Update software continuously (scan emails and drives, keep computers and networks fully patched, run scheduled checks, block known ransomware sites, etc.).

• Train staff to think before clicking and to be wary of unknown sources.

Use strong passwords and/or a password manager.

Further cybersecurity fortification for organizations can be implemented by staying abreast of cyber threat alerts, permitting only authorized applications on work computers; restricting or prohibiting access to official networks from personally owned smartphones, computers or devices; and restricting administrator privileges.

Preparing For The Future

Every healthcare organization should take steps now to recover from a future cyberattack. This includes:

• Developing an incident recovery plan in the event of a ransomware attack.

• Carefully implementing and testing a data backup and restoration strategy with secure and isolated backups.

• Maintaining a list of contacts for attack response.

Sadly, with cyber threats like ransomware continuing to evolve, the question no longer seems to be whether your organization will be victimized—it’s when.

Previous post
Back to list
Next post