A new report from Corvus found a 75-percent increase in reports of ransomware attacks on healthcare entities from H1 2019 to H2 2019. 

The report covers the IT security traits of healthcare entities, including hospitals, health systems, doctor’s offices, consultants and more. The entities have been the target of hundreds of ransomware attacks in recent years, the report says -- and those are only what’s been reported to the public.

Ransomware Activity

The rise of ransomware has been the most significant general trend in cybersecurity in the past year. Corvus’s Data Science team studied reported attacks over time to get a view of this trend. Because of varying reporting standards across states, these numbers represent only a sample of the true number of attacks, but the trend over time is illustrative.

Findings include:

  • Overall, ransomware attacks have been on the rise substantially since around the beginning of 2019. Before 2016 ransomware was a marginal aspect of cyber crime, with large-scale data breaches — aiming to steal troves of protected health information or credit card data — ruling the day. Since the NotPetya and Wannacry attacks of 2017 ransomware has been more well-known, with new strains of malware and new vulnerabilities helping to kick off the recent boom.
  • Attacks on health care entities have always been a big part of the overall ransomware picture. A recent rise in attacks on health care entities follows the general trend in ransomware. But while overall attacks rose in Q1, within health care they remained flat. Could the claims by several ransomware groups that they would avoid attacks on health care during the Covid-19 pandemic be reflected here? Future reports will tell.

Industry Analysis: IT Security of Health Care Entities

The two primary attack vectors for ransomware attacks are open ports (places where an organization’s IT infrastructure
connects to the wider web) and phishing emails. Using data from the Corvus Scan, this section explores how healthcare
entities are faring in securing against open ports and email systems.

Findings include:

Open Ports (Attack Surface)

  • Health care entities primarily have a smaller attack surface, but hospitals appear to be as much a target as the average organization. Corvus says, "Open ports are opportunities for attackers to identify and exploit. Properly managed, they are a necessary part of being connected to the web. But a larger attack surface is harder to keep track of and defend. Failing to properly secure an open port is too often a critical error. According to a Corvus study, presence of an open port with RDP was associated with 37% greater likelihood of a ransomware attack.

Email Security

  • Health care entities use email scanning and filtering tools at similar rates to the web average, which is low. Even among hospitals, which utilize those services at higher than average rates, over 75% do not use email scanning and filtering tools."
  • This metric has barely budged since COVID-19 outbreak began. This is despite the fact that phishing exploits have increased and present a risk to health care organizations. Corvus says, "Hospitals use email scanning and filtering tools more than average, but the average is low. According to Corvus research, these services are associated with a 33% reduction in the likelihood of a ransomware attack."


Overall, health care organizations are average, or better than average, when it comes to defending against two key attack vectors, claims Corvus. "This isn’t surprising given the regulatory environment and the sensitivity of their data. However, attackers are not deterred by a challenge. More important is the return on investment, and with a rich set of patients data (both PII and PHI), hospitals and other care facilities are a valuable target for data breaches. Plus, because of the critical nature of their operations -- they cannot afford to be down, with patients’ lives on the line -- they have become a natural target for ransomware. This requires an adversarial approach to defense. Hospitals in particular have larger attack surfaces, just about average in size for the web overall, making them more at risk for an attack through an open port. And all it takes is just one entry point to make an attack viable."