Facing Down the Ransomware Threat in the Healthcare Sector

Cyberattacks, particularly ransomware, remain a constant danger to the US healthcare sector. In terms of the volume and frequency of attacks, 2024 was a record-breaking year, with medical care providers and supply chain vendors severely affected. Despite some success in taking down prominent ransomware gangs, the threat continues unabated.

To outline the scope of the problem, the Department of Health and Human Services Office for Civil Rights hosts a HIPAA Breach Reporting Tool, listing cases of data breaches currently under investigation, plus archived reports detailing past events. As reported by GovInfoSecurity, as of December 20, 2024, there were a total of 677 major health data breaches affecting more than 182.4 million people across the US.

UN Security Council Convenes Meeting on Ransomware Threat Facing Hospitals

Cyberattacks have become such a serious problem that last November, the United Nations Security Council hosted a meeting to specifically discuss the impacts that ransomware and other forms of cyberattacks can have on hospitals and health systems. Briefing ambassadors, the World Health Organization Director-General, Tedros Adhanom Ghebreyesus, detailed the severe impact of cyberattacks on hospitals and healthcare services, calling for urgent and collective global action to address this growing crisis. Adhanom stated, “Ransomware and other cyberattacks on hospitals and other health facilities are not just issues of security and confidentiality, they can be issues of life and death”.

One of the delegates at the meeting, Eduardo Conrado, president of Ascension Healthcare, outlined details of an attack that his organization faced in May 2024, in which operations across the health system’s 120 hospitals were severely affected, with ransomware preventing access to electronic health records. Vital diagnostic services such as magnetic resonance imaging and computed tomography scans were also made inaccessible. This incident caused the hospital chain to shut down IT systems, including electronic health records, for several weeks and resulted in a data breach affecting 5.6 million patients and employees. It took 37 days before normal operations could be resumed.

The Evolving Ransomware Threat to Hospitals

John Riggi, National Advisor for Cybersecurity and Risk at the American Hospital Association, recently outlined the top cybersecurity challenges confronting hospitals. He warned of rising threats from nation-state and ransomware collaboration, citing an August case where Iranian actors exploited US networks for espionage. Targets of the attack included healthcare organizations. What made this cyberattack stand out was the fact that a nation-state was working to facilitate and profit from ransomware attacks by Russian-affiliated ransomware gangs.

Ransomware Problem Particularly Acute for Regional Hospitals

Successful high-profile attacks on major healthcare providers with large, well-equipped IT resources are occurring regularly. With that in mind, consider the problems faced by regional hospitals in defending against and recovering from an attack.

According to a new report from Microsoft, in addition to the serious impacts to hospital operations that come with any successful ransomware attack, regional hospitals face additional challenges linked to strained budgets that limit resourcing capabilities and cybersecurity measures. Following a ransomware attack, hospitals lose an average of $1.9 million per day, according to the report, and the typical ransomware attack can leave hospitals without access to key electronic services, including electronic health records, for up to 18 days. Regional hospitals cannot afford this level of financial loss.

The Shifting Regulatory Landscape

In response to escalating cybersecurity threats in healthcare, the US Department of Human and Health Services (HHS), has proposed significant amendments to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The proposed updates would mandate stronger access controls, multi-factor authentication, regular risk assessments, data encryption, and more robust backup and recovery protocols.

The most stringent requirement is the proposed ‘72-hour rule’. This rule would require healthcare organizations to restore ePHI, including health records, medical device data, and application information within 72 hours of a data loss incident. Compliance would be mandatory and would be especially challenging for under-resourced rural hospitals.

Preparing for a Ransomware Attack – and a Rapid Recovery

Healthcare organizations need to assume they will fall victim to a ransomware attack at some point. Smart IT professionals in the sector adopt the attitude that it’s a matter of when, not if. At that point, the question becomes, how can the impact be minimized and how quickly can data be recovered, and normal operations resumed?

The answer to this question lies in having a robust backup of your data in an immutable format, on site, off site, or in the cloud, and the ability to run business operations from a secondary site. This represents a serious commitment for stretched hospital IT teams and a significant financial commitment, particularly for under-resourced regional organizations. It can be made substantially more affordable though by consuming a backup and disaster recovery solution as a service, through a specialist Managed Service Provider (MSP).

A best practice managed backup and recovery solution in the healthcare sector should ensure that disaster recovery experts are on call 24/7/365 to recover healthcare data following an attack. The solution should also offer an Isolated Recovery Environment (IRE) to protect patient data, as well as a HIPAA compliant disaster recovery solution that is fully automated and tested for recovery into an IRE.

Assured has published a new whitepaper which outlines the pain points healthcare organizations face in tackling the problem of ransomware, as well as an industry-leading solution to the issue. You can read it here.