Healthcare Under Siege: Ransomware in 2024
Ransomware attacks in the healthcare industry have been on the rise this year. Safety Detectives’ Research Team collected and analyzed data showing a significant increase in attacks in 2024 compared to 2023.
Ransomware groups indiscriminately target organizations in diverse industries and countries, with healthcare services being especially susceptible due to the sensitive nature of their data, it appears that attacks on these organizations are increasing. In March 2024, Change Healthcare made headlines after paying a substantial $22 million following a ransomware attack, prompting concerns that healthcare providers may be more likely to opt for paying ransomware demands as a means of possibly avoiding substantial HIPAA penalties.
According to the data collected primarily from Ransomware Live, which is sponsored by the cybersecurity firm Hudson Rock, the statistics from 2023–2024 paint a concerning picture of the increasing frequency of ransomware attacks in the healthcare industry around the world. Based on the data, in 2023, healthcare services ranked as the fifth most attacked industry, but by 2024, they had climbed up to third place. The frequency of attacks on healthcare institutions not only remained high but also rose — 264 attacks have been recorded in the first three quarters of 2024. With three months left in the year, this figure is just four attacks shy of matching the total number of attacks recorded in all of 2023. When comparing month-to-month figures, the number of attacks at the beginning of this year doubled and even tripled last year’s numbers.
Another concerning aspect is that while there were 68 active groups carrying out a combined total of 4,841 attacks in 2023, the number of active groups rose to 87 in 2024, executing an average of 394 attacks per month. There is also an alarming trend towards more sophisticated and coordinated cybercriminal actions. The ransomware attack scenario is continuously changing, with cybercriminal groups utilizing novel strategies and methods to breach organizations’ systems for financial gain. From April to September, cybersecurity specialists detected 177 new ransomware variants developed by the ransomware gangs averaging 30 variants per month and underscoring the dynamic nature of these risks.
The consequences of a ransomware attack on a healthcare provider can be severe. For instance, cybercriminals may disrupt critical healthcare services. Compromised or encrypted systems can hinder healthcare providers’ ability to access electronic health records (EHRs), schedule appointments, conduct diagnostic tests, and share vital information among care teams. This may lead to treatment delays, appointment cancellations, procedural disruptions, and overall interruptions in care continuity. In emergency scenarios where immediate access to medical data is essential, these attacks can impede healthcare providers from delivering timely and efficient care, potentially posing risks to patients’ lives.
Moreover, healthcare providers store an array of Patients’ Protected Health Information (PHI) and Personally Identifiable Information (PII). For example, names, email addresses, physical addresses, mental health records, diagnoses, therapy session recordings, genetic and biometric information, driver’s licenses, passports, social security numbers, NSFW (not safe for work) images, and more. Cybercriminals may steal, exploit and often expose this data, along with financial information, SQL databases, employees’ data, and other sensitive corporate records.
Ransomware groups are not always transparent about the specific amount of data they claim to have stolen. Through our analysis, we were able to identify some claims of data theft, even though most groups do not disclose this information in their posts. By compiling these claims, we calculated a total of 47.3 TB across 103 attacks, with an average of approximately 450 GB per attack. Based on this data, it is estimated that cybercriminals may have stolen nearly 120 TB of data in 2024 thus far only on attacks to healthcare providers.
Samples of the stolen data can be easily found on the clear web, accessible to anyone with internet access. The full troves of stolen data are frequently traded, sold or simply leaked on the clear and dark web, where they could remain available for years after the initial breach. This exposure not only potentially increases risks to individuals whose sensitive information has been compromised but also perpetuates the cycle of cybercrime activity.
The Research Team at Safety Detectives has previously shared about ransomware leaks exposing healthcare providers, such as the Baim Institute for Clinical Research, highlighting the potential risks involved. Despite our analysis of samples from this specific attack not revealing any compromised sensitive patient information, a statement from the Maine Attorney General’s office confirmed that patient data had been leaked due to these cyber incidents.
Potential Risks
The exposure of such sensitive data presents substantial risks, impacting both the individuals affected and the healthcare institutions involved. Some of these potential risks are:
Privacy Concerns: Exposure of health data can raise significant privacy concerns for individuals. This sensitive information, such as medical history, treatment plans, and personal identifiers, may be accessed by unauthorized parties and potentially misused.
Identity Theft: Health-related data often contains personally identifiable information (PII) such as names, addresses, social security numbers, and insurance details. If this information falls into the wrong hands during a data breach, it can be used to commit identity theft or fraud.
Psychological Impact: The exposure of health-related data in a data breach can have a psychological impact on individuals whose privacy has been violated. The fear and uncertainty surrounding the misuse of their sensitive information can cause stress, anxiety, and emotional distress.
Medical Fraud: Cybercriminals may exploit stolen health data to commit medical fraud. For instance, they could obtain healthcare services or prescription drugs under someone else’s identity. This not only puts the victim at financial risk but also compromises their medical records.
Reputation Damage: Healthcare organizations that experience data breaches involving patient information may suffer significant reputational damage. Patients and stakeholders may lose trust in the organization’s ability to safeguard their sensitive data, leading to potential loss of business and credibility.
Legal Consequences: Data breaches involving health-related information can result in legal consequences for healthcare organizations. They could incur in regulatory fines and penalties for non-compliance with laws such as the Health Insurance Portability and Accountability Act (HIPAA) in the United States. Organizations may also possibly face lawsuits from affected individuals seeking damages for the breach.
Medical Errors: In some cases, exposure of health-related data in a breach could lead to medical errors or compromised patient care. If unauthorized parties tamper with medical records or treatment plans, it could result in incorrect diagnoses, inappropriate treatments, or delays in care. This poses a significant risk to patient safety and well-being.
Financial Loss: Data breaches in the healthcare sector can also lead to financial losses for both individuals and organizations. Patients may have to pay for identity theft protection services or medical bills resulting from fraudulent activities. Healthcare organizations may face expenses associated with investigating the breach, notifying affected individuals, implementing additional security measures, and potential legal fees.
Long-Term Consequences: Patients may experience ongoing concerns about the security of their personal data, impacting their trust in the healthcare system. For organizations, the aftermath of a breach may include continued scrutiny from regulators, increased cybersecurity costs, and challenges in rebuilding their reputation.
Loss of Trust: Perhaps one of the most significant risks associated with having health-related data exposed in a breach is the loss of trust between patients and healthcare providers. When sensitive information is compromised, patients may question the security practices of the organization holding their data, leading to a breakdown in trust that can be challenging to repair.
Recommendations
In light of these escalating threats, it is crucial for healthcare organizations to prioritize cybersecurity and take proactive measures to protect their systems and data.
Some recommendations for healthcare providers include:
1. Regularly update and patch all software and systems to address vulnerabilities that could be exploited by cybercriminals.
2. Implement strong access controls and multi-factor authentication to prevent unauthorized access to sensitive data.
3. Conduct regular cybersecurity training for staff members to raise awareness about the risks of ransomware attacks; educate them on best practices for data protection.
4. Backup critical data regularly and store it securely offline to ensure that, in case of an attack, data can be recovered without having to pay a ransom.
5. Develop an incident response plan outlining the steps to take in the event of a cyberattack, including communication protocols with stakeholders, law enforcement, and regulatory bodies.
Furthermore, healthcare providers should consider investing in advanced cybersecurity solutions (such as intrusion detection systems, endpoint security software, and encryption technologies) to enhance their defense mechanisms against ransomware attacks. While these measures significantly strengthen cybersecurity, no system can guarantee complete protection against all threats. Timely responses and transparent communication are crucial to minimize the impact of a breach and uphold trust within the healthcare sector. Taking a proactive stance on cybersecurity is key to ensuring patient confidentiality and data protection in today’s digital healthcare environment.However, it is important to note that even with best practices in place, the evolving nature of cyber threats requires continuous vigilance and adaptation.
React to this headline: