Small and Medium Sized Healthcare Organizations Targeted by Ransomware Gangs

Ransomware gangs stepped up their attacks on healthcare organizations in 2020 with some ransomware operations making healthcare a major focus of their attacks.

Many cybersecurity companies have issued reports showing the extent to which healthcare has been targeted by ransomware gangs during the pandemic. A recently published report from CrowdStrike shows attacks on the healthcare sector increased by 580% during the coronavirus pandemic, with 97% healthcare organizations reporting they suffered ransomware attacks in 2020.

Emsisoft reports it tracked 80 ransomware attacks on healthcare organizations in 2020, with those incidents affecting more than 560 provider facilities. Researchers at Tenable report that half of all cyberattacks on hospitals now involve the use of ransomware.

While no healthcare organization is immune to attacks, the human-operated ransomware gangs that have become so prevalent were concentrating on attacking large healthcare providers that had the means to pay large ransoms. However, there are more than 18 ransomware gangs conducting attacks and those attacks are now being conducted on healthcare organizations of all types and sizes, with attacks on small to medium-sized healthcare organizations increasing significantly in 2020.

The two main ransomware gangs – Sodinokibi and Ryuk – may target large organizations, but there are many other ransomware gangs attacking much smaller targets. Ransomware attacks on large healthcare organizations may result in large payments, but the attacks can be more difficult to perform and require a high level of skill to bypass sophisticated defenses.

Attacks on smaller healthcare organizations are easier to perform as the cybersecurity defenses in place at small- to medium-sized healthcare organizations are less robust. These organizations are less likely to have skilled cybersecurity professionals on staff, vulnerabilities are likely to take longer to address, and staff security awareness training is more likely to be infrequent.

The skill level required to perform these attacks is lower, which makes attacks easier for the affiliates that sign up with smaller ransomware-a-a-service (RaaS) operations. RaaS operations recruit individuals to distribute the ransomware and provide a cut of any ransom payments they generate. There appears to be no shortage of individuals willing to conduct attacks. 6 out of 10 healthcare ransomware attacks are now conducted by RaaS affiliates.

Recent Ransomware Attacks on Small to Medium Healthcare Providers

In the past few weeks, several smaller healthcare providers have been hit with ransomware attacks and have been forced to work on pen and paper while they battle to recover their data and restore their IT systems. As is now common with ransomware attacks, sensitive data are stolen prior to file encryption. If the ransom is not paid, the attackers threaten to publish stolen data online or sell the information to the highest bidder.

Several small- to medium-sized healthcare organizations have recently announced they were victims of ransomware attacks in which patient information was potentially stolen and, in some cases, the data have been published online to pressure the victims into paying the ransom.

These attacks include:

• Rehoboth McKinley Christian Health Care Services in New Mexico
• Cochise Eye and Laser in Arizona
• Allergy Partners in North Carolina
• AllyAlign Health Plan

There are no signs that ransomware attacks on the healthcare sector will decline any time soon. In fact, evidence indicates that the attacks will continue to increase in 2021.

What Can Small- and Medium-Sized Healthcare Organizations do to Prevent Ransomware Attacks?

What small- and medium-sized healthcare organizations must do is to improve their defenses. In many cases, attacks have proven successful because defenses have been poor, and cybersecurity best practices have not been followed.

It is essential that healthcare organizations do not assume they will be too small to be targeted, as that is no longer the case.

Steps should be taken to harden security to make ransomware attacks more difficult. That means ensuring patches are applied promptly to correct vulnerabilities before they can be exploited. In 2020, the exploitation of vulnerabilities in software, operating systems, and hardware was the most common attack vector.

However, throughout 2020, phishing was also commonly used for gaining the access to systems necessary do deliver ransomware and phishing became the main attack vector in the final quarter of 2020. Email security defenses should therefore be hardened, and employees should be provided with regular security awareness training to help them identify phishing threats. It is also important to implement two-factor authentication to prevent stolen credentials from being used to access accounts.

If an attack were to occur, it is essential that data can be recovered from backups. It may not be possible to prevent the publication of stolen data but having a sound backup plan will at least ensure that important data are not lost. It is also important to develop an incident response plan that can be implemented immediately in the event of an attack. This will limit the disruption and has been shown to reduce the cost of a ransomware attack.