Significant Increase in Ransomware Attacks on Healthcare Industry

Recent months have seen a wave of ransomware attacks in the US healthcare industry, many involving a sophisticated strain of malware called Ryuk.

Recently, an alarming number of ransomware attacks have targeted and disrupted the US healthcare industry. Many of the attacks involve a sophisticated and destructive strain of malware called Ryuk. Ransomware attacks can prevent healthcare providers—ranging from large health systems to small medical practices—from accessing critical data needed to treat patients and maintain normal business operations. Consequently, ransomware attacks can have potentially devastating effects on patient safety and cause financial and reputational damage to afflicted healthcare providers. Healthcare providers should ensure that their information security teams are well positioned to protect and defend their organizations against such attacks.

What Is a Ransomware Attack?

Cyber-attackers use ransomware, a type of malware (i.e., malicious software), in an attempt to extort an organization by freezing access to its own data. Typically, ransomware locks down electronic data files by encrypting them with a decryption key known only to the attacker. The attacker then demands the organization pay a ransom in exchange for the decryption key.

Ransomware often enters an organization when a user clicks a malicious link or downloads an infected file. According to the US Computer Emergency Readiness Team (US-CERT), ransomware “typically spreads through phishing emails or by unknowingly visiting an infected website.” It can be challenging for an organization to detect ransomware when it is initially deployed on its information systems. In fact, the United Kingdom’s National Cyber Security Centre (NCSC) issued an alert on June 22, 2019, advising that Ryuk, in particular, “is often not observed until a period of time after the initial infection—ranging from days to months—which allows the actor to carry out reconnaissance inside an infected network, identifying and targeting critical network systems and therefore maximizing the impact of the attack.”

Ransomware attacks can cause an intense level of disruption to a healthcare provider’s operations that rely on its information systems. Without access to patients’ electronic medical records, healthcare providers may be forced to delay or cancel patient appointments and procedures, potentially endangering the patients’ safety. A ransomware attack can also cripple a healthcare provider’s revenue cycle management processes and prevent the provider from timely capturing revenue. Moreover, a healthcare provider may need to expend a significant amount of effort and coordination with internal stakeholders, including its:

  1. information security, IT, legal department and senior executives;

  2. external advisors, consultants, forensics vendors, and outside legal counsel; and

  3. law enforcement agencies.

Even healthcare providers with sophisticated data backup and disaster recovery processes may be compelled to pay a ransom to the cyber-attacker to obtain a decryption key because doing so can be more expedient and less resource intensive than restoring the patient data from backups. For these reasons, healthcare providers can face tremendous pressure to negotiate and pay a ransom in order to resume providing vital patient services, notwithstanding the FBI’s warning that there is no guarantee that a criminal attacker will in fact provide a decryption key that will enable full restoration of the encrypted data after receiving a ransom payment.