The true human cost of ransomware in healthcare

By means of Dr. Darren Williams 

There is always a certain sense of outrage surrounding cyber attacks, but few generate as much dismay as cyber attacks targeting healthcare. It doesn’t get much lower than threatening the privacy of medical patients or even endangering their health.

Unfortunately, many criminal gangs are not only happy to sink this low, but it is also a core part of their business model. Threatening patients’ well-being provides a powerful bargaining chip in causing disruption and pushing healthcare providers to pay for blackmail demands.

These tactics appear to be paying off as we see an escalating number of attacks targeting hospitals and other healthcare providers; the European repository for cyber incidents recorded a 278% increase in incidents between 2022 and 2023. We found it too that healthcare saw the highest number of ransomware attacks of any industry for three consecutive months this year.

In addition to the financial and operational consequences, these attacks also take a human toll, affecting patients as well as doctors and administrators who have to clean up the pieces after an incident. With so much at stake, stronger cybersecurity measures across the industry are more important than ever.

The most obvious impact of a cyberattack on healthcare is the disruption of primary patient care. A joint study between RUSI and Kent University found that serious ransomware incidents can have catastrophic consequences, even resulting in potentially life-threatening delays in patient treatment. Research by CISA also found that redirects resulting from cyber incidents can reduce both survivability and recovery rates.

In Great Britain the Qilin attack on pathology service provider Synnovis in June led to the cancellation of more than 3,000 hospital and GP appointments across the NHS, directly disrupting vital services such as blood transfusions and diagnostic tests.

Additionally, ransomware attacks often impact systems that manage patient data and appointment scheduling, leading to confusion and errors in patient management. Canceled appointments must be rebooked in an often overburdened healthcare system, further compromising patient safety and causing additional stress.

In addition to the direct impact on treatment, these disruptions also cause significant frustration and anxiety for healthcare workers.

When digital systems are compromised, physicians and administrators are forced to work under even more pressure, manually managing patient care or using workarounds. Reports have found staff suffering from insomnia and PTSD-like symptoms following major incidents. This added stress can lead to burnout, decreased morale, and a decline in the quality of care. With healthcare systems already feeling the strain, this additional stress is clearly palpable.

Many data breaches also involve the theft of employee data in addition to patient records. Thus, healthcare workers may also face anxiety and frustration due to the potential exposure of their personal information as a result of these incidents.

In addition to the immediate operational disruption, ransomware attacks can cause lasting damage to public trust in healthcare systems when personal data is exposed, exposing victims to even more risks such as identity theft, fraud or even direct blackmail attempts. With attackers now routinely combining encryption and data exfiltration, in a tactic known as double extortion, the risks of sensitive data falling into the hands of criminals are increasing.

In such a case: Change Healthcare iThe US fell victim to a ransomware attack by a group known as ALPHV/BlackCat, which threatened to publish an unprecedented 6TB of data on the darknet unless a $22 million ransom was paid. And with individual plates selling for approx $50 each on darknet forums, attacks can generate extremely lucrative income for criminal groups in addition to their ransomware claims.

Some threat actors have even used sensitive medical data to attempt to extort patients directly, as seen when infamous Finnish cybercriminal Julius Kivimäki attempted to blackmail 33,000 patients of a psychotherapy company. Vastaamo.

In addition to storing valuable, highly personal data, cybercriminals know that healthcare organizations are typically underfunded, making them a particularly vulnerable target. Many healthcare providers do not have the budget or bandwidth to update outdated, outdated systems, leaving them with an IT environment full of outdated and vulnerable assets. Healthcare security is further complicated by the large number of contractors and third-party service providers who are constantly connected online and on-site.

Rather than a complete infrastructure overhaul, healthcare providers should focus on mitigating the impact of attacks. Tightening system access can have a particularly significant impact, and identity-based security measures such as multi-factor authentication and least privilege access policies will ensure that only authorized personnel have access to sensitive information. Taking a Zero Trust approach, which assumes every user, device, and connection is compromised until authenticated, will yield even better results. Identity checks such as Zero Trust also align well with regulations affecting the healthcare sector, such as NIS2.

It’s impossible to be completely immune to a security breach, so healthcare providers must also be equipped to limit the impact when an incident occurs.

Endpoint detection and response (EDR) is essential to identify unusual system activity as quickly as possible. Next-generation firewalls add even more security by enforcing identity-based policies in a more dynamic manner than traditional manual methods of inspecting connections based on port ID and IP address.

Additionally, anti-data exfiltration (ADX) solutions are critical to preventing sensitive data from being exfiltrated during an attack. This ensures that organizations do not have to deal with the long-lasting pain of data breaches that extend months after the initial breach.

Healthcare providers should therefore also focus on securing their external partnerships. This requires rigorous auditing of vendors’ security practices and ongoing monitoring of their systems. Any identity and access management measures should apply equally to all third-party connections.

With attackers intent on stealing sensitive data and disrupting patient care, the human cost of healthcare cyberattacks is already enormous and will only increase. Protecting the well-being of patients and staff requires strategies and tools that will mitigate the disruptive impact of ransomware and keep personal data out of the hands of ruthless criminal groups.

About the author

Dr. Darren Williams is a serial entrepreneur and founder of 3 technology startups. He is currently the founder and CEO of BlackFog, Inc., a global cybersecurity company focused on ransomware and cyberwarfare prevention. Dr. Williams has pioneered anti-data exfiltration (ADX) technology to prevent cyber attacks around the world.