Ransomware gangs know how to get the most money for the lowest amount of effort. They choose their targets based on weak defenses and the likelihood of payment. Picking targets this way allows them to spend the least amount of time breaking in, and offers the highest possible rate of return. Health delivery organizations (HDOs) fulfill both of these criteria. HDOs have historically underspent on cybersecurity, resulting in weak network defenses. These weak defenses, paired with a low tolerance for downtime, results in HDOs being more likely to pay a ransom to recover operations than other industries.
Those ransom payments are big business for cybercriminals. Recent reporting from Becker’s Health IT shows that HDOs have paid $100 million to the Conti ransomware gang. The FBI indicted nine members of the gang on September 7, offering millions in reward money for their capture. HDOs in the U.S. were a common target of Conti, who made waves in 2022 with their stated allegiance to the Russian government and the leak of documents that followed.
Besides the cost outlay of recovery, experiencing a ransomware attack is incredibly damaging to an HDO’s operations as well as patient care. Surgeries are often canceled or rescheduled, and patients diverted to other locations for added delays in receiving care. Moreover, even if HDOs pay the ransom, there is no guarantee that cybercriminals would truly delete the stolen data. Some sell the exfiltrated data on the dark web, even after they return it to their HDO victim. Data loss is thus only one consequence of a successful incident.
- Increased mortality rates – There is a 20% direct-line increase in mortality from a cyber incident, according to Ponemon Institute research. People die at higher rates at HDOs that experience a cyberattack or incident, which isn’t good news for trust in the system.
- Reputational damage and distrust in the community – Rightly or wrongly, people mistrust HDOs who experience a cyberattack. The exfiltration of patient data breeds the perception of a lack of safety, meaning that people will often avoid HDOs who have experienced an incident.
- Increased recovery costs – An IBM report estimates that it costs $10.1 million per incident for HDOs to recover from a cyberattack, excluding any ransomware payments. This is the highest recovery cost of any industry included in the IBM study. The surge in attacks on HDOs in 2023 doesn’t help matters with regard to increased costs either.
- Possible regulatory costs – A hospital settled with regulators for $250,000 to avoid risks of imposed fines and expanded class-action lawsuits. HIPAA and CCPA are only a few of the statutes that HDOs need to worry about in terms of regulatory consequences. State regulators could also sue following an incident if they claim HDOs didn’t do enough to protect critical health data.
These consequences of a successful data breach are a real risk for HDOs in the modern security landscape, as demonstrated by the recent ransomware attack on Prospect Medical.
Prospect Medical: The Real Impact of a Cyberattack
Prospect Medical Holdings operates 16 hospitals and more than 165 clinics and outpatient facilities in California, Connecticut, Pennsylvania and Rhode Island. On August 3, 2023, it was revealed that a ransomware attack on the Prospect Medical network had impacted multiple locations throughout the country.
Prospect facilities in Connecticut and Pennsylvania swapped over to antiquated phone systems and paper records as they worked to bring operations back online in the weeks following the attack. The affected facilities also diverted or postponed elective surgeries for several weeks after the incident.
According to CybersecurityDive, the ransomware as a service group Rhysida claimed responsibility for the attack. They offered the data stolen from Prospect Medical for $1.3 million on the dark web, or 50 bitcoin, and claimed to have more than 1 terabyte of stolen data and a SQL database containing 1.3 terabytes of data.
The reputational costs of this attack could be substantial. According to a Forbes report, 46% of companies experienced a reputation loss in the wake of a cyber incident. For HDOs, an attack like the one Prospect Medical experienced could lead to fines from HIPAA or the IRS as well as fewer patients booking non-emergency surgeries or other care appointments. Reputation loss is difficult to quantify but can be substantial.
Scripps Health in 2021 experienced a cyberattack that resulted in $113 million in lost revenue and higher expenses several months later. Whether this resulted from people deciding against going to Scripps facilities for their care or from continued recovery costs is hard to say, but the reality is that a single successful ransomware incident continues to affect HDOs many months after the technological impacts are resolved. In Prospect Medical’s case, there is no telling what the final financial and reputational cost will look like until several months from now.
HDOs Can’t Afford to Do Nothing
HDOs are on a financial knife edge. Their revenue tanked during the COVID-19 pandemic and has only recently started to improve, with March 2023 marking the first time in over a year that operating margins crawled into the black, according to Becker’s Hospital Report. These razor-thin operating margins mean that 30% of all rural hospitals, about 646 in the United States, are currently at risk of closure, according to the same data. One cyberattack can put one of these smaller facilities out of business.
Given this stark financial situation, in addition to the direct negative fiscal impacts of a cyberattack, HDOs need to protect their critical systems to ensure they can continue to operate. The revenue and operational risks are too great for these organizations to ignore. More importantly, many rural HDOs are the only healthcare for miles in any direction. Impeding the operations of one county or rural hospital has a massive negative impact on access to healthcare for entire swathes of the country.
Complicating matters is the reality that the number of incidents continues to rise, with 89% of HDOs in a recent Ponemon Cybersecurity in Healthcare study experiencing an average of 43 attacks over the course of 12 months. HDOs can ill afford to do nothing or – more accurately – continue down the pathway of business as usual when it comes to their cybersecurity. Not with the sheer number of threat actors targeting healthcare and the massive risk of negative impacts on patient outcomes and financial solvency.
It should be clear by now that the costs of a successful cyberattack extend far beyond merely monetary. HDOs can be fined for paying the ransom, they can face penalties for a breach of patient privacy, and they may also face lawsuits from patients who had their care interrupted because of an attack. It’s clear that there are major costs associated with the rising tide of malware crashing against hospitals and HDOs.
HDOs Need a Risk-Based Approach
HDOs can’t continue to underspend on cybersecurity. Unfortunately, their budgets are so tight when it comes to securing their critical infrastructure that they often have to make do with less than their peers in other industries. HDO technology spending quite rightly focuses on patient outcomes and improving overall care. So what is a cybersecurity team to do when the risks of a breach continue to rise but the budget doesn’t?
The answer is to adopt a risk-based approach to cybersecurity. This involves removing the most risk with the least effort from your security-focused team members. A risk-based approach includes conducting regular vulnerability scans of network-accessible infrastructure to identify security holes, as well as prioritizing the discovered weaknesses to ensure that the riskiest issues are resolved first. A lot of security software can only create a risk-blind list of work to be done to remove vulnerabilities. With a risk-first approach, with “riskiest” being the ones that are most likely to cause a catastrophic incident, HDOs can efficiently reduce the possibility of a threat actor succeeding.
Asimily was founded to move the device security industry past prior approaches and evolve to a risk-first approach. With key capabilities around inventory management for connected medical devices, as well as risk-based prioritization of discovered vulnerabilities, Asimily empowers HDO security teams to adopt the risk-based security methodology that will make them safer over the long term.
HDOs face substantial information security headwinds in the market today. Between tight operating margins, skill and resource constraints, and a flood of cyberattacks, the average healthcare organization has a lot of challenges to consider. Not all is lost, however, even with the explosion in IoMT devices and the difficulties inherent in securing a broader attack surface.
A risk-based, holistic approach to securing this infrastructure empowers HDOs with cost savings, a better security posture, and an overall more resilient infrastructure. With Asimily, HDOs can gain confidence that their IoMT devices are accounted for and secured against cyberattacks. Connected devices are growing rapidly in hospital environments, and each brings its own unique attack surface. Asimily’s solution identifies issues and helps customers remediate risks to ensure the best possible security for HDOs regardless of size.
To learn more about the Asimily risk remediation platform, download our Total Cost of Ownership Analysis on Connected Device Cybersecurity Risk whitepaper or contact us today.