People depend on hospitals, clinics, medical offices and other healthcare providers to be there when they need them the most. In turn, healthcare organizations depend on technology to be able to provide care. It is an industry where 24-hour availability of services is, quite literally, a life or death matter. For healthcare organizations, IT downtime is not only unacceptable but potentially threatening to human lives. Perhaps this is why 34% of healthcare organizations attacked by ransomware in the past year admitted to paying the ransom to try to get their data back and minimize disruption to services.
Sophos, a leading cybersecurity company and AllSafe IT partner, published a report on The State of Ransomware in Healthcare 2021. The survey of 328 IT decision makers across globe revealed that 34% of organizations surveyed were hit by ransomware in the past year. Of those, 65% said that the cybercriminals were able to encrypt their data, making it unavailable and essentially useless. As mentioned above, 34% – over a third – of these paid a ransom to recover their data. Again, part of this is because of the urgency to get their systems back so they could continue service.
But alarmingly, another reason that healthcare organizations elected to pay up is because they were less prepared to restore from backup. The report showed that only 44% were able to use backups to restore their data, compared to the global average of 57% for other industries. Of all industries surveyed, healthcare ranked the second lowest in their ability to restore from backup.
As far as costs, the average ransomware payment was $131,304. However, paying the ransom is a poor strategy. Healthcare organizations reported that they only received an average of 69% of their data back after paying up. The remaining third of their data stayed encrypted and therefore inaccessible. Across industries, only 8% said that they got all their data back after paying ransom.
But the ransom itself is only a small fraction of the total cost required to recover from a ransomware attack. When figuring the total cost, including downtime, loss of business, device and network cost, etc, healthcare organizations spent an average of $1.27 million in recovery costs after a ransomware attack.
The Health Sector Cybersecurity Coordination Center (HC3) is an entity created by the United States Department of Health and Human Services to identify and communicate cybersecurity risks with the healthcare and public health (HPH) sector. So far, HC3 has tracked 82 ransomware incidents impacting healthcare in 2021 (as of May 25). This includes the attack on the Irish healthcare system, which forced major disruption and cancellation of non-critical services. Of the 82 ransomware attacks logged in 2021, 48 were in the United States and 10 were in California.
One reason for the uptick in cases is that healthcare organizations don’t tend to prioritize their spending on IT security. In fact, hospitals are notorious for investing only 1/10 the amount spent by other industries on technology and cybersecurity. As a result, their IT systems tend to be outdated and end-of-life, lacking the latest security patches.
Healthcare records contain sensitive personal data, including patients’ identification info, medical histories, prescriptions, diagnoses, financial info, etc. This makes them extremely valuable to scammers and identity thieves.
These factors, combined with the inherently urgent nature of healthcare services, make the healthcare industry an attractive and easy target for cybercriminals.
AllSafe IT recommends the following best practices:
AllSafe IT is proud to have spent over 15 years providing IT services to hundreds of companies—many of those within the healthcare industry. Our specialized services are uniquely tailored to healthcare IT support to provide our customers with the reliability, protection, and fast services needed to ensure 100% uptime, maximized data security, and importantly, resources for comprehensive HIPAA compliance. From comprehensive and preventative cybersecurity strategies to 24/7 customer support to multi-layered HIPAA compliance, AllSafe IT understands the robust—and unique—needs of healthcare businesses.