It鈥檚 no secret that ransomware has been a huge problem for years, but the targets typically involved every industry other than healthcare鈥攗ntil recently. Since the onset of the COVID-19 pandemic, ransomware attacks have increasingly focused on healthcare entities with devastating impacts.聽
With patient care hanging in the balance, healthcare organizations are now scrambling to detect and fend off endless attacks, often with mixed results. The U.S. Department of Health and Human Services (HHS) has now responded with new guidelines for healthcare entities and a broader commitment to compliance enforcement and penalties.
Let鈥檚 take a closer look at how we got here.
During the pandemic, saving lives was the top priority in the healthcare world鈥攏ot cybersecurity. But that's exactly what hackers took advantage of. Cybercriminals saw an opportunity to extort hefty ransoms with minimal resistance.聽
Just one month into the pandemic, the FBI鈥檚 Internet Crime Complaint Center (IC3) per day鈥攏early triple the average prior to March 2020. The healthcare sector's transition to remote work, combined with the overwhelming focus on patient care, created fertile ground for ransomware attacks. Hackers exploited vulnerabilities in outdated systems and the increased reliance on digital platforms, subjecting numerous hospitals and clinics to devastating breaches that disrupted operations during an already terrible time.
While the pandemic has mostly subsided, the attacks have not鈥攖hey鈥檝e increased in numbers and severity. In the past year, nearly were hit by ransomware attacks. Just months ago, Change Healthcare was that reportedly affected billing and care authorization portals, leading to prescription backlogs, lost revenue, and threats to worker paychecks and even patient care. American Hospital Association (AHA) President and CEO Rick Pollack 鈥渢he most serious incident of its kind leveled against a U.S. health care organization.鈥
The effects of ransomware attacks on healthcare organizations are often pretty profound and far-reaching. Aside from financial losses, these breaches jeopardize patient safety and compromise sensitive medical data.聽
Ransomware attacks in healthcare usually begin with phishing emails or software vulnerabilities. Once activated, the ransomware encrypts critical data across hospital networks, basically holding systems and all connected devices hostage. This locks out staff from patient records and essential medical systems, disrupting operations and even endangering patient care. From there, attackers will typically demand payment in cryptocurrency for the decryption keys. The hospital must then isolate infected systems, assess damage, and decide whether to negotiate or recover from backups. But even after restoration, the attack can have lasting consequences such as reputation damage and regulatory penalties.聽
John Riggi, cybersecurity and risk advisor for the AHA, in healthcare because it has the biggest impact on patient safety. 鈥淲hen hospitals are attacked, lives are threatened. That鈥檚 the bottom line,鈥 he said. 鈥淭hese are not white-collar crimes. These are not data theft crimes. These are threat-to-life crimes.鈥
Recent cases like the attack on Change Healthcare serve as jarring reminders of the havoc ransomware can wreak on healthcare institutions. These attacks disrupt vital medical services and erode public trust in their ability to safeguard sensitive information.
Despite heightened awareness, the healthcare sector continues to grapple with persistent challenges in combating ransomware. Legacy systems, budget constraints, and a shortage of cybersecurity expertise are just a few of the hurdles in defending against evolving threats. Plus, the interconnectedness of healthcare networks makes it harder to defend against cyber threats鈥攙ulnerabilities in one organization can quickly cascade across the entire ecosystem.
HHS has for cybersecurity practices within the healthcare sector in response to the growing threat landscape. These guidelines emphasize proactive measures such as risk assessments, employee training, and thorough incident response protocols. But that鈥檚 not all: HHS has also begun to mandate timely reporting of ransomware incidents鈥攁nd issue penalties for failing to do so.
In late 2023, HHS made headlines with its linked to a ransomware incident. HHS launched an investigation into Doctors鈥 Management Services (a medical management company based in Massachusetts) in April 2019 following a breach report that indicated ransomware infiltration of its network server. This breach led to unauthorized access to Electronic Protected Health Information (ePHI) stored on the network. During their inquiry, HHS uncovered evidence of poor monitoring of health information systems and a failure to establish policies and procedures compliant with the requirements. The company agreed to pay $100,000 in fines and to execute a corrective action plan to address potential HIPAA Privacy breaches.
Don鈥檛 expect this settlement to be the last. In its own words, the HHS has promised to work with Congress to 鈥渋ncrease civil monetary penalties for HIPAA violations and increase resources for HHS to investigate potential HIPAA violations and conduct pro-active audits.鈥 In other words, the penalties will only become more severe as HHS is provided with more resources to look for HIPAA violations resulting from ransomware attacks.
As ransomware continues to pose a grave threat to healthcare organizations, it鈥檚 crucial to take proactive measures to safeguard patient data, protect critical operations, and ensure compliance as standards continue to rise.聽
Get insider access to 杏吧传媒 tradecraft, killer events, and the freshest blog updates.
