Examining the Impact of Ransomware on the Healthcare Sector and New HHS Guidelines

It’s no secret that ransomware has been a huge problem for years, but the targets typically involved every industry other than healthcare—until recently. Since the onset of the COVID-19 pandemic, ransomware attacks have increasingly focused on healthcare entities with devastating impacts.

With patient care hanging in the balance, healthcare organizations are now scrambling to detect and fend off endless attacks, often with mixed results. The U.S. Department of Health and Human Services (HHS) has now responded with new guidelines for healthcare entities and a broader commitment to compliance enforcement and penalties.

Let’s take a closer look at how we got here.

‍

COVID-19 Only Made Things Worse for Ransomware and Healthcare

During the pandemic, saving lives was the top priority in the healthcare world—not cybersecurity. But that's exactly what hackers took advantage of. Cybercriminals saw an opportunity to extort hefty ransoms with minimal resistance.

Just one month into the pandemic, the FBI’s Internet Crime Complaint Center (IC3) reported an average of 3,000 to 4,000 cyberattack complaints per day—nearly triple the average prior to March 2020. The healthcare sector's transition to remote work, combined with the overwhelming focus on patient care, created fertile ground for ransomware attacks. Hackers exploited vulnerabilities in outdated systems and the increased reliance on digital platforms, subjecting numerous hospitals and clinics to devastating breaches that disrupted operations during an already terrible time.

While the pandemic has mostly subsided, the attacks have not—they’ve increased in numbers and severity. In the past year, nearly 6 in 10 healthcare organizations were hit by ransomware attacks. Just months ago, Change Healthcare was hit by a ransomware attack that reportedly affected billing and care authorization portals, leading to prescription backlogs, lost revenue, and threats to worker paychecks and even patient care. American Hospital Association (AHA) President and CEO Rick Pollack called the attack “the most serious incident of its kind leveled against a U.S. health care organization.”

The Impact of Ransomware Attacks on the Healthcare Sector

The effects of ransomware attacks on healthcare organizations are often pretty profound and far-reaching. Aside from financial losses, these breaches jeopardize patient safety and compromise sensitive medical data.

Ransomware attacks in healthcare usually begin with phishing emails or software vulnerabilities. Once activated, the ransomware encrypts critical data across hospital networks, basically holding systems and all connected devices hostage. This locks out staff from patient records and essential medical systems, disrupting operations and even endangering patient care. From there, attackers will typically demand payment in cryptocurrency for the decryption keys. The hospital must then isolate infected systems, assess damage, and decide whether to negotiate or recover from backups. But even after restoration, the attack can have lasting consequences such as reputation damage and regulatory penalties.

John Riggi, cybersecurity and risk advisor for the AHA, says ransomware has now become the biggest concern in healthcare because it has the biggest impact on patient safety. “When hospitals are attacked, lives are threatened. That’s the bottom line,” he said. “These are not white-collar crimes. These are not data theft crimes. These are threat-to-life crimes.”

Recent cases like the attack on Change Healthcare serve as jarring reminders of the havoc ransomware can wreak on healthcare institutions. These attacks disrupt vital medical services and erode public trust in their ability to safeguard sensitive information.

Despite heightened awareness, the healthcare sector continues to grapple with persistent challenges in combating ransomware. Legacy systems, budget constraints, and a shortage of cybersecurity expertise are just a few of the hurdles in defending against evolving threats. Plus, the interconnectedness of healthcare networks makes it harder to defend against cyber threats—vulnerabilities in one organization can quickly cascade across the entire ecosystem.

‍

How HHS is Responding

HHS has started to issue more stringent guidelines for cybersecurity practices within the healthcare sector in response to the growing threat landscape. These guidelines emphasize proactive measures such as risk assessments, employee training, and thorough incident response protocols. But that’s not all: HHS has also begun to mandate timely reporting of ransomware incidents—and issue penalties for failing to do so.

In late 2023, HHS made headlines with its first HIPAA settlement linked to a ransomware incident. HHS launched an investigation into Doctors’ Management Services (a medical management company based in Massachusetts) in April 2019 following a breach report that indicated ransomware infiltration of its network server. This breach led to unauthorized access to Electronic Protected Health Information (ePHI) stored on the network. During their inquiry, HHS uncovered evidence of poor monitoring of health information systems and a failure to establish policies and procedures compliant with the HIPAA Security Rule requirements. The company agreed to pay $100,000 in fines and to execute a corrective action plan to address potential HIPAA Privacy breaches.

Don’t expect this settlement to be the last. In its own words, the HHS has promised to work with Congress to “increase civil monetary penalties for HIPAA violations and increase resources for HHS to investigate potential HIPAA violations and conduct pro-active audits.” In other words, the penalties will only become more severe as HHS is provided with more resources to look for HIPAA violations resulting from ransomware attacks.

‍

Catch Potential Ransomware Attacks Early and Instantly Respond

As ransomware continues to pose a grave threat to healthcare organizations, it’s crucial to take proactive measures to safeguard patient data, protect critical operations, and ensure compliance as standards continue to rise.