Healthcare’s next emergency: Ransomware follows in the footsteps of the pandemic

As the healthcare industry continues to navigate what we hope is the near end of the pandemic, it’s becoming increasingly clear that it’s dealing with a cybersecurity emergency as well. With frontline healthcare personnel working around the clock to care for a never-ending wave of COVID-19 patients and IT departments scrambling to support those who’ve transitioned to WFH since the pandemic began, healthcare has quickly become a favorite target for cybercriminals looking for quick infiltration and large payouts. More worrisome, the security threat shows no signs of slowing down as the pandemic recedes.

In particular, government officials have highlighted the growing ransomware threat this past year — encouraging hospitals and other public health organizations to take immediate precautions against attacks. And their attempts to instill urgency are not misplaced. Healthcare continues to be targeted at a far greater frequency than other industries. Furthermore, the fact that ransomware attacks have shown their ability to limit or completely shut off access to critical care for patients in need, means healthcare organizations often feel like they have no choice but to pay a ransom once a breach has been disclosed.

This, coupled with the fact that their security teams are often understaffed and working with slim budgets, means healthcare organizations’ alarm bells are ringing. And patients are paying close attention, too. Healthcare businesses are already reeling from massive losses during the pandemic, and cyberattacks could cause further long-term damage beyond the initial attack. Our research at Morphisec indicates that almost 3-in-10 consumers say they would consider switching providers if their records were breached in a cyberattack. Considering that same report found that 1-in-5 Americans say a cyberattack has impacted their healthcare provider in the past year, it’s undoubtedly worrying news for the entire industry.

With this in mind, here are three avenues hackers are likely to exploit as healthcare becomes a more attractive target and what providers’ need to do to protect their sensitive data and safeguard the lives of their patients.

Targeting Weak Email Phishing Defenses

The healthcare industry has been overwhelmed by cyberattacks in the past two years. And while cybercriminals have gone through various avenues to infiltrate networks, email has become a top choice for several reasons. For one, a lack of training or awareness about phishing increases the likelihood of success, as hackers become more skilled at taking advantage of vulnerabilities brought on by human error.

A 2019 study published in the Journal of the American Medical Association aimed to illustrate this danger when researchers sent almost three million simulated phishing messages to hospital employees. An astonishing 422,062 clicks occurred, indicating that an overwhelming amount of recipients fell for the trap.

Additionally, hackers’ email phishing techniques are growing more sophisticated, with many taking the time to study a company’s personnel and learn their manner of speaking by email before spoofing them. This, along with authentic-looking email addresses, makes it incredibly difficult for employees to decipher between a scam and legitimate communications.

This is why it’s hardly a surprise that consumers have pinpointed their healthcare provider’s email phishing defenses as their biggest worry, with 26% saying that they believe this is their provider’s weakest link when it comes to their cybersecurity defenses. Of course, all it takes is one click for an entire organization to fall prey to a phishing attack — one click to place sensitive information in the wrong hands and leave millions of dollars worth of clean up.

Telehealth Growth Opens Up a New Attack Surface

With COVID-19 fueling major technological innovations within the industry — namely the offering and use of telemedicine services — how people visit their doctor and receive treatment has changed forever. In fact, 56% of patients have used telemedicine alternatives to in-person healthcare visits during the pandemic, including 55% of those 60-years-old and older and 59% of women.

And while the rise in the use of hybrid care options can be highly beneficial for healthcare providers and patients alike, the surge in adoption of digital tools has unfortunately left more people open to attacks in these virtual settings.

Why? To meet consumers’ demands for contactless healthcare, the federal government has had to temporarily relax HIPAA restrictions on telehealth so that providers can use tools like Zoom to treat patients. Of course, cybercriminals have quickly found the security gaps in these tools — gaps made all the more prevalent because many providers needed to conduct visits from unsecured networks at home.

And while telehealth has been nothing short of a lifeline for millions of patients during the pandemic, most are very aware of the cybersecurity risks that come with wide-scale adoption. For example, over half (53%) state that they’re more worried about the security of their personal health information in a telemedicine setting than in an in-person environment. Meanwhile, 57% say that they believe healthcare providers working remotely during the pandemic and using these virtual tools has increased the risk of their personal health information being compromised.

With COVID-19 massively accelerating consumers’ expectations for contactless service, the telemedicine market is expected to continue to grow even after the pandemic ends. It’s therefore vital that healthcare organizations prioritize their virtual endpoints' security or watch their attack surface increase exponentially.

Increasing Payouts by Shutting Down Access to Care

Ransomware attacks shutting down access to care has provided a new worry for patients and providers. As already mentioned, a cyber attack on a healthcare provider turned fatal in September when a ransomware attack at the University Hospital Dusseldorf forced staff to postpone planned and outpatient treatments and route some patients to alternative medical facilities.

This type of critical care interference is becoming more common in ransomware attacks. As a result, it has increased Americans’ anxiety around a potential attack preventing them from receiving care in their time of need. Morphisec found that 6-in-10 consumers admit they are more worried about this now than they were a year ago.

Groups like Ryuk, for example, typically target the user interface that manages, monitors, and controls devices such as imaging equipment. This medical equipment and the computers connected to them are often ransomed in tandem, rendering them unusable and leaving healthcare staff unable to care for patients.

And because they understand just how damaging downtime is, they’re increasingly targeting big-name players and demanding larger payouts. The average ransom payout for a Ryuk hit, for instance, climbed to $1.4 million in 2020. UHS Hospitals, the $11.4 billion healthcare organization, learned first-hand when its phone and computer systems were shut down, and patient care was either delayed or severely limited.

Indeed, the healthcare industry is under more pressure to protect its critical networks 24/7, which only acts to incentivize hackers who know they have much to gain from infiltration. The good news, however, is that they don’t need complex solutions to protect themselves. Instead, this cybersecurity crisis should stimulate IT departments to examine their investments and question whether they’re relying on more tools for less protection.

Malware is modernizing rapidly and is learning to bypass widely-used next-gen systems entirely, thus essentially turning complex security stacks into white elephants. For healthcare, IT departments struggling under the weight of its most significant ever emergency, the only way for them to truly protect their organizations and their patients is to take a proactive defense approach that builds off a simplified security stack. Because, as we’ve seen, money-hungry cybercriminals are ready to pounce on the first vulnerability they catch. And without the most effective cybersecurity tools in place, healthcare organizations can expect to pay a high price not only in terms of money but lives lost, too.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

Are you ready to elevate your security game and take charge of your data-driven decision-making? As today's industry leaders know, data is key to driving impact and success.