While ransomware attacks are becoming more prominent in the news, ransomware itself has been around for quite some time with the first attack
documented in 1989 (distributed via floppy disk). This type of malicious software (malware) has the potential to impact every industry, with healthcare becoming an attractive target – with the potential to disrupt care delivery and release highly sensitive patient information into the wrong hands.
Ransomware works by blocking victim access to data or a computer system until the victim pays a ransom fee, which is promised to allow access to the encrypted files and, in some cases, stop the release of sensitive information to the public. Additionally, attacks have evolved from custom-made programs to more sophisticated and accessible ‘Ransomware-as-a-Service’ models and have moved from targeting individuals demanding sub-$1,000 payments to targeting large, sophisticated organizations with multi-million dollar demands and resulting in far higher total costs for remediation and recovery.
In 2020 alone, there were over 90 individual ransomware attacks in healthcare, impacting over 600 providers and 18 million patient records - a whopping 470% increase over the number in 2019. Between the lost revenue from provider / organization downtime and the $2 billion+ total amount paid in ransoms, it is estimated that these 2020 attacks cost healthcare constituents nearly $21 billion overall. Additionally, there were several high-profile ransomware attacks in recent years:
- Q3 2020: UHS reported that a ransomware attack resulted in $67 million in losses. The attack utilized Ryuk ransomware, which is designed for large organizations and was also utilized for 5 other ransomware attacks on hospitals and health systems on the same day. In this instance, it took UHS 3 weeks to get back online and fully operational.
- 2020: Perpetrators gained access to systems via a third-party cloud-computing vendor, Blackbaud, impacting 100 healthcare organizations and giving hackers access to over 12 million patient records.
- October 2021: Indiana-based Eskenazi Health fell victim to a ransomware attack when cybercriminals gained access to their network and the confidential information of more than 1.5 million individuals. The health system did not pay the demanded ransom, in line with what federal agencies recommend, as there is no guarantee that the payment will result in receipt of a decryption key. In this case, the criminals ultimately did release some of the sensitive patient information.
- August 2021: Savannah, GA-based St. Joseph's/Candler Health System was attacked, compromising the information of approximately 1.4 million patients. This included medical records, social security numbers, billing account data, and a myriad of other information. The health system estimated the attackers had been able to gain access to the network for six months.
- October 2022: CommonSpirit Health, one of the nation’s largest health systems with operations in 21 states, was attacked in multiple regions, leaving the system locked out of electronic health records and delaying patient care. The attack impacted hospitals in at least 7 states, and is still (as of mid-October 2022) not fully resolved.
The increase in ransomware activity across healthcare has been fueled by a combination of market realities and industry forces:
- Healthcare Data is Extremely Valuable: Healthcare data is extremely valuable and has a myriad of potential uses, both positive and malicious. For healthcare constituents, longitudinal or aggregated patient information can be used to improve patient outcomes, contain costs, and more. This type of data typically exists in a disaggregated state and is spread across various silos of healthcare; several companies such as Ciox, Arcadia, Health Catalyst, and others are focused on aggregating this data for providers, payers, and life sciences users. This newly aggregated data is extremely valuable to ransomware providers as it contains all of an individual’s personally identifiable information, as opposed to a piece or two that may be found in a financial breach, expanding the potential use cases for the stolen data and its shelf life. According to Experian, a single patient record can sell for upwards of $1,000 on the black market, nearly fifty times higher than the price for standard credit card records.
- There is More ‘Fluid’ Data Across Healthcare: The proliferation of interoperability in healthcare in recent years has enabled fast, reliable data exchange between all constituents, leading to better patient outcomes and a more efficient healthcare system. The downside of this sensitive healthcare data changing hands, however, is the inherent risk of a data breach. Patients, providers, payers, and any other constituents sending or receiving healthcare data need to be more careful than ever, and policies must be put in place to mitigate as many risks as possible. Mechanisms such as data encryption and user authentication are critical to combat potential threats, and these tools must be supported by education on the importance of following strict protocols when handling healthcare data. The increased role of interoperability in healthcare is a positive for the industry, but as this trend and the technologies enabling it continue to develop and mature, a focus on security has to be top of mind.
- Healthcare Consumerism Is Driving Demand For Data Access, But Also Increasing Risk: Consumers are increasingly expecting their healthcare partners to provide them with online access to their patient data, with over 50% of patients supporting internet accessible medical records. This increase in access represents a potential threat to cybersecurity, as users expect seamless and quick access, which opens these users up to more personalized, targeted attacks, such as phishing or other social engineering scams. While not ransomware, increasing access to extremely sensitive personal data offers more opportunity for bad actors to gain access. Similarly, wearables, such as fitbits, Apple watches, and other similar devices that maintain healthcare data and connect to the internet can also provide entry points for hackers to gain personal health information (PHI), or worse, control of lifesaving medical devices.
- The Government is Helping Protect Healthcare Data: The Centers for Medicare & Medicaid Services (CMS) views ransomware as a critical homeland security threat. These attacks can lead to both massive monetary losses, but also complete shutdown of operations, risking the health of current patients and local communities. Because of this, CMS provides resources to providers / suppliers on how to prepare for and defend against healthcare cybersecurity threats. These resources include National Preparedness Guidelines, CyberSecurity Planning Guides, and CyberSecurity Self Assessments.
Technology Solutions Addressing the Issue
This unfortunate reality has created the momentum for unique companies to differentiate themselves by providing the best defenses for constituents across the healthcare ecosystem. There are numerous ways to attack the problem, including training software and services platforms, anti-virus software, system and data backups, threat-detection and prevention solutions, and recovery plans. In recent years, several companies have moved to help arm providers with innovative solutions, attracting attention from healthcare investors:
- CyberMaxx, acquired by Periscope Equity in August of 2021, is a full-service healthcare focused cybersecurity company with services including endpoint threat detection, network-based threat detection and prevention, and security information and event management.
- Clearwater Compliance, backed by Altaris Capital, offers software, managed services, and consulting to healthcare clients for both cybersecurity, compliance and information management services, and is exclusively endorsed by the American Hospital Association.
- ClearData, is a healthcare specific, compliance and security-focused cloud hosting platform backed by Merck Global Health, Humana, HCSC, Norwest Venture Partners, and others.
- CynergisTek (ASE:CTEK) is a cybersecurity and compliance services firm that works with companies by offering assessment, testing, remediation, and validation services across healthcare, higher education, technology and government verticals.
As the healthcare industry continues its journey to become more consumer-friendly, personalized, and value-based, the role of data and actionable information becomes even more important – and ransomware threats will continue. Fortunately, the industry has taken note with providers purchasing solutions from innovative companies and private equity investing in companies developing ransomware solutions. At TripleTree, we are encouraged by the focus on cybersecurity and look forward to tracking the industry’s progress in the months and years ahead – and seeing fewer headlines on this topic.