Summary Bullets:
• A recent RiskRecon study of 1,454 serious ransomware cases finds that healthcare provider organizations account for more than 18% of these incidents, by far the most targeted sector.
• Geography was not a factor with healthcare providers under fire around the globe.
As an industry, healthcare is not exactly known as information technology-forward. The sector lags other verticals in IT adoption and innovation outside of medical technology, extending to cybersecurity where gaps in controls have rendered healthcare institutions vulnerable to ransomware and other types of attacks. Recently published research from risk management provider RiskRecon bears this out, showing that more than any other segment, healthcare providers are targeted in what the company terms “destructive ransomware events” in which the compromised institution’s operations are disrupted because of encryption of essential systems. The study, examining 1,454 destructive ransomware events that have occurred between 2016 and 2023, find that even if an organization has an excellent security posture itself, if there are any vulnerabilities in its supply chain, then it could be successfully targeted.
The research was published the same week Microsoft warned that threat actors are leveraging INC Ransom, a ransomware-as-a-service provider, and are taking aim at healthcare organizations. 2024 has been a difficult year for healthcare organizations and ransomware. In February, medical payment processor Change Healthcare was hit by a ransomware attack that wreaked havoc on its affiliates that depended on the organization to handle their financial transactions. The ALPHV/BlackCat ransomware organization exfiltrated as much as 4 TB of data, including medical records and payment information. Change Healthcare allegedly paid the hackers $22 million, but ultimately expenses associated with the event are likely to top $1 billion.
Of those who had what RiskRecon classified as “poor security hygiene,” the firm says there were a number of issues underlying this. Among those, RiskRecon says they had 7.2 times more high or critical severity issues in their internet-facing systems. These at-risk organizations had on average 12.2 times more unsafe network services exposed such as Remote Desktop Protocol (RDP). These enterprises also had 23.7 times elevated rate of malicious activity and 6.4 times higher encryption configuration issues in critical systems.
Since 2021, just under 48% of the initial attack ingress breached the enterprise either through unsafe network services or unpatched software. RiskRecon notes that while threat actors launch attacks seven days a week, 46% occur from Friday to Sunday when fewer IT and security staff are likely to be working.