- Researchers found ransomware in 55% of breaches, or 161 incidents, in the healthcare industry in a 14-month time period, according to a Tenable report released Wednesday. The Tenable Security Response Team (SRT) analyzed publicly disclosed breaches in 2020 and included analysis on activity in January and February of 2021.
- Between January 2020 and February 2021, SRT found the healthcare industry had 293 breaches. Of those breaches, 93% led to record exposure.
- The majority of compromised healthcare organizations, 93%, were able to identify the root cause of the breach. After ransomware, email compromise/phishing (21%), followed by insider threat (7%) and unsecured data bases (4%) led to data breaches.
The healthcare industry is a favored target by cybercriminals: Hospitals cannot tolerate downtime or put off emergency patient care. The result is a potential willingness to pay a ransom to avoid any disruption.
Patching is one of the most important aspects of ransomware deterrence, but in healthcare predictive prioritization takes precedence, where security teams correct vulnerabilities most likely to be exploited, according to Tenable. "The vulnerabilities being leveraged by these ransomware groups are targeted due to lack of patching, and overlap with vulnerabilities targeted by state-sponsored actors for the same reason."
But the healthcare industry balances software and hardware in legacy environments, which challenges routine updates.
"When the question comes, 'How do we keep this device up and running and saving lives? Or do we take it and decommission it because we can't patch it anymore?' I think the answer becomes pretty clear, 'We're going to continue to save lives,'" said Chris Sperry, manager of X-Force Threat Research at IBM Security, during a webcast in November.
"Even in the midst of this global pandemic that we're all living through day in and day out, we're seeing cybercriminals operationalizing against healthcare," he said.
Healthcare systems are the most compromised segment of the healthcare industry, accounting for 30% of overall breaches, followed by hospitals (19%), mental healthcare facilities (6%), medical clinics (5%) and government agencies (4%), according to Tenable.
Of the 161 ransomware victims SRT analyzed, 108 organizations were never able to identify the perpetrator even though "ransomware groups tend to favor leveraging certain attack vectors, so much so that they have their own fingerprints," the report said.
Bad actors will develop new avenues of infection and if an organization detects Ryuk, containment and recovery become the primary mission. The Ryuk ransomware strain was found in nearly 9% of ransomware-related breaches. The ransomware strain "stood out above the rest," even before Maze, Conti and Revil, according to Tenable.
The United Health Services (UHS) estimated its Ryuk ransomware attack cost $67 million by Q4 2020. The attack temporarily pushed the organization to offline patient documentation, and redirected patient care to competitors' facilities.
While the average cost of a data breach is about $3.7 million, breaches in the healthcare sector reach over $7.1 million, according to IBM research. Personally identifiable information (PII) has a value of $150 per record across industries.
The number of records exposed is difficult to quantify, according to Tenable. Only 57% of the breached healthcare organizations publicly disclosed how many records were impacted by their compromise.
"The attack lifecycle within the healthcare industry is generally pretty long as compared to others," said Sperry. In cases where ransomware victims refuse to pay, the malware operators will resort to destructive actions where recovering the encrypted data becomes impossible, according to research from VMware Carbon Black.