The Rising Threat of Ransomware in Healthcare: A Call to Action
By Mike Crouse, Director of Insider Risk at Everfox
In recent years, the healthcare sector has found itself increasingly vulnerable to ransomware attacks, with incidents nearly doubling from 2022 to 2023. This alarming trend poses a significant risk not only to healthcare organizations but also to the patients who rely on them for life-saving services. The recent ransomware attack on OneBlood, a blood center serving hundreds of hospitals in the southern United States, exemplifies the real-world consequences of such cyberattacks. With critical systems offline, OneBlood was forced to revert to manual operations, severely limiting blood supply and delaying complex surgeries.
The Impact of Cyberattacks on Healthcare
The OneBlood incident is just one of many that highlight the dire implications of ransomware in healthcare. Earlier this year, UnitedHealth was compelled to pay $22 million to a ransomware group following an attack on its claims processing unit, which handles nearly half of all U.S. medical claims. The fallout was widespread: three-quarters of U.S. hospitals reported a direct impact on patient care, and 94% experienced financial repercussions, with many reporting revenue losses of at least $1 million per day. In the wake of these attacks, both the American Healthcare Association and the American Medical Association have called for federal support to address the implications of such breaches, especially as sensitive patient data has surfaced on the dark web.
The healthcare sector is particularly attractive to cybercriminals due to the sensitive nature of the data it handles. The average cost of a data breach in healthcare is a staggering $9.77 million, making it the most expensive sector for the fourteenth consecutive year. This reality underscores the urgent need for healthcare organizations to bolster their cybersecurity measures to prevent attacks or at least mitigate their impact.
The Role of Federal Regulations
In response to the escalating threat, federal legislation is beginning to take shape. Following the UnitedHealth breach, Senator Mark Warner of Virginia introduced the Healthcare Cyber Improvement Act, which proposes advanced payments to healthcare providers affected by cyber incidents, contingent on meeting minimum cybersecurity standards set by the Department of Health and Human Services (HHS).
Shortly thereafter, the Healthcare Cybersecurity Act was introduced, requiring the Cybersecurity and Infrastructure Security Agency (CISA) to collaborate with HHS, provide resources to non-federal entities, and establish a liaison for coordination during cyber incidents. These legislative efforts align with HHS’s initiatives to enhance healthcare resilience, including the release of cybersecurity performance goals and best practices.
The implementation of technical controls is crucial for improving cybersecurity in healthcare. One effective approach is to condition access to federal funds, such as Medicaid and Medicare, on compliance with established cybersecurity baselines. This strategy would incentivize healthcare organizations to prioritize cybersecurity measures.
Creating a Culture of Security
While technical controls are essential, it is equally important to recognize that cybersecurity is fundamentally a people problem. Human error remains the leading cause of data breaches, and ransomware attacks often exploit credential theft, compromised users, and social engineering tactics. The high-pressure environment of healthcare can exacerbate insider risk factors, leading employees to make decisions that may inadvertently compromise security.
To foster a culture of security, healthcare organizations must engage stakeholders both internally and externally. This includes gathering data across various departments—medical, finance, HR—while maintaining operational security. Implementing a combination of least privilege access, data loss prevention solutions, and user activity monitoring can provide a comprehensive view of employee behavior, enabling organizations to identify risky anomalies, such as unauthorized data transfers.
Moreover, collaboration with vendors, mission partners, researchers, and cybersecurity centers of excellence is vital for staying informed about the evolving threat landscape. Regularly sharing lessons learned from these engagements with employees can help cultivate a security-aware culture. Formal training programs and awareness campaigns are essential, as many employees may not fully grasp the potential consequences of a data breach on their organization and its patients.
The Bottom Line
As cybercriminals continue to target healthcare organizations, it is imperative that these entities implement robust cybersecurity solutions and training programs. A single employee clicking on a malicious link can lead to devastating financial repercussions and disrupt critical services. Healthcare organizations cannot afford to wait for regulations to catch up with the ever-expanding threat landscape.
The time for action is now. By enhancing technical controls, investing in internal training, and fostering collaboration with cybersecurity experts, healthcare organizations can better protect themselves and, most importantly, safeguard the health and well-being of their patients. The stakes are high, and the health of patients depends on it.
Get Fresh Healthcare & IT Stories Delivered Daily
Join thousands of your healthcare & HealthIT peers who subscribe to our daily newsletter. We respect your privacy and will never sell or give out your contact information.