It’s not your imagination. Ransomware threats to health care organizations are at record levels and continue to rise. Last year, there were 389 reported ransomware attacks on health care organizations in the U.S., up from 258 in 2022. This year, there were 44 ransomware attacks against health care organizations in April alone, the most ever recorded for one month by cybersecurity firm Recorded Future and up from 30 in March. The trend is ominous.
Major health care ransomware incidents this year
Drug distributor Cencora Inc. (formerly AmerisourceBergen) paid a record $75 million ransom in bitcoin last March after a breach resulted in the theft of sensitive data.
Lehigh Valley Health Network, a health system based in eastern Pennsylvania, agreed in September to pay $65 million to victims of a 2023 ransomware attack after hackers posted nude photos of cancer patients online.
Leading health care clearinghouse Change Healthcare (a subsidiary of UnitedHealth Group) was hit with a ransomware attack in February that prevented electronic payments to physicians and claims processing. Change Healthcare paid a $22 million ransom in early March and was not given access to its data, as acknowledged by UnitedHealth Group CEO Andrew Witty in a Congressional hearing.
The cost of these attacks extends far beyond any ransom payments. Change Healthcare says the incident has cost it $872 million and expects that amount to exceed $1 billion. In addition, the American Medical Association found that four in five clinicians lost revenue due to the Change Healthcare breach, with 55 percent of practice owners resorting to using personal funds to pay bills and meet payroll.
Ransomware attacks also threaten the lives of patients when provider organizations’ systems and files are controlled by hackers demanding payment in return for decryption keys. In the case of the high-profile Change Healthcare breach, the ability of clinicians to approve medical procedures and prescriptions was limited. The attack disrupted 80 percent of U.S. hospitals and 60 percent of pharmacies, leading to delays in billing and processing claims.
Ransomware disrupts everything in a health network, including labs and administrative functions. Work slows to a crawl when organizations shift from electronic to physical paper-and-pen communication. This crippling inefficiency alone can severely compromise patient safety.
Cybersecurity experts for years have recommended that health care organizations refuse ransom demands. Caving in, experts warn, encourages more attacks and rewards criminal actions. And as happened in the Change Healthcare breach, the attackers who stole 4TB of patient and payment information were paid $22 million in bitcoins, but they did not provide the decryption key, and Change did not get their data back.
Yet the prospect of a ransomware attack costing the lives of patients under the care of a hospital or health system is something decision-makers undoubtedly want to avoid. After all, their primary mission is to care for patients; better to pay and get back to normal, many believe. This urgency to protect lives and sensitive patient information offers powerful leverage to bad actors and is a main reason why health care organizations are the most lucrative targets of ransomware.
When ransomware hackers strike – to pay or not to pay?
The dreaded day finally arrives – clinicians and staffers at your large hospital or health system suddenly are unable to log on to their networks to do their jobs. Instead, they are greeted with a grim warning on their computer screens that they will not be able to access any systems or data until a multimillion-dollar ransom is immediately paid in bitcoin. What do you do?
Your response depends on several factors. First, don’t panic. If you’re the organization’s chief information security officer (CISO), you should immediately consult with internal leaders and external partners to get more information about how an ongoing ransomware incident will impact various departments and processes but also impact legal and compliance aspects. The critical elements to be considered when responding to a ransomware demand are the risks to the organization, exactly which data has been stolen and held, and whether patient safety and data privacy are imperiled.
Working directly with your general counsel (GC), health care CISOs should seek input from external experts such as digital forensics specialists, ransomware experts, cyber insurance carriers and brokers, law enforcement (including the FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, or CISA), and your organization’s outside counsel.
Experienced outside voices can assess a ransomware hacker’s history and help you soberly weigh the risks and benefits of paying the ransom. Health care organization leaders faced with a ransom demand understandably may be angry, but it is imperative that their response isn’t influenced by emotion. At this point, whether you pay the ransom is a business decision.
Investing in cybersecurity
Legacy infrastructures and specialized connected devices (which may lack robust security features) make health care organizations inviting targets for ransomware hackers. Given the continuing increase in ransomware incidents, health care organizations should assume they eventually will be attacked.
Indeed, the Change Healthcare ransomware attack earlier this year has galvanized security efforts at provider organizations. A new Bain & Company survey shows that 38 percent of provider organizations have increased spending on cybersecurity software designed to detect and prevent ransomware attacks.
Further, many organizations have developed a variety of effective response and recovery plans and technologies that enable them to continue operations even if ransomware attackers seize their systems and data.
Whatever health care organizations decide, it is critical that they carefully weigh the pros and cons of paying a ransom to hackers that have seized their systems and data before an incident occurs. This is a critical business decision and a legal decision as well that needs to be made before any actual incident. Most CISOs I have surveyed said their stance is not to pay as it just supports the criminal industry. However, these decisions may change depending on the impact of these threats to any organizations and to protect health care information.
Developing long-term strategies for ransomware attacks will make health care organizations better prepared to effectively manage these incidents should they occur. More significantly, a comprehensive cybersecurity strategy will decrease the chances of an organization being successfully targeted by bad actors seeking exorbitant ransom payments.
Cecil Pineda is a health care executive.
