In IBM’s 2022 Cost of a Data Breach report, the company revealed that the global average cost of a data breach was $4.35 million. In the healthcare sector, however, that number skyrocketed to $10.1 million. Why is an attack on a healthcare organization so much more costly? While part of this comes down to the fact that healthcare organizations often have big budgets, and so might be able to pay big ransoms, the biggest part of the answer is consequences. In there, real lives are at stake. Downed systems don’t just mean a loss of profit, it means a loss of life. Faced while the choice of paying up or letting people die, the decision to pay a ransom is not a hard one, even if the asking price is very large indeed.
State of the Industry
The healthcare industry is a particularly attractive target for ransomware for two main reasons. First, irrespective of benefits, healthcare companies tend to be large businesses with large balance sheets. Total expenses for U.S. hospitals reached above one trillion dollars in 2022, indicating that on any given day, a massive amount of money is flowing in and out of hospitals nationwide. For cybercriminals, this means an easy target with an almost-guaranteed payout to some degree.
Second, healthcare is an extremely vital industry for humankind. For many organizations in other verticals, ransomware may be a “pay up or go offline” situation. Devices may be taken offline and productivity may slow temporarily, but ransomware is a temporary setback- organizations may even take their time coming up with a way to circumvent payment. For healthcare, however, time is not on the side of the organization. The effects of a ransomware attack are far more useful for criminals when actual lives are on the line.
The deeper problem is that as long as healthcare organizations have to keep paying ransomware to save lives, criminals will keep attacking- it’s, unfortunately, part of the overall risk factor for these providers.
A Different Breed of Risk
However, it’s not just the attractiveness of the target that keeps criminals attacking healthcare organizations- it’s also the risk profile of the average healthcare employee.
More than most other industries, we see extremely high mobility of staff within healthcare. Across many healthcare businesses, we see a substantial contingent of staff that are out in the field or is more mobile within their office space. Doctors and nurses are constantly on the move, even if they never actually leave the hospital. Many devices become mobile out of necessity. This creates a physical risk of device loss or theft, increasing the need for a strong, resilient connection and the ability to track or wipe a device should it be stolen.
Additionally, healthcare data is extremely valuable to criminals. This isn’t simply because of the deeply personal nature of the data. It is because it’s a trove of extremely valuable Personal Identifiable Information (PII) point of view. This sort of personal information is just what cybercriminals need to get the answers to personal questions connecting bank accounts, site logins, and more.
Finally, healthcare systems are often large and interconnected – if security is not ironclad, criminals can rapidly gain the ability to move from end-user laptops to departments like billing, to the pharmacy, to control systems – always finding the weakest link as long as a valuable target exists. This creates an endless game of ‘whack-a-mole’ for healthcare IT teams, where the objective is to simply become less of a target while routing out malware infections across a wide range of systems.
Overall, with their large attack surface, interconnected systems and highly valuable data, devices in healthcare settings are a perfect target. They are also a perfect use case for a zero-trust network access approach to security.
Risk is usually defined as the product the probability of a successful attack and the impact of the attack. Protecting your organization to minimize the chances of success is the cost common way people try to reduce risk, but it has its limits. No organization is ever going to be perfectly protected. This means that in most cases the best way to minimize risk is by being ready for an attack so that you can minimize its impact. This means that IT teams must find ways to get their organization to a point where it’s possible to recover without paying. This allows them to break the vicious cycle: as long as attacks lead to payments then payment will lead to more attacks. Breaking the cycle is crucial because if you can’t, then no matter how strong your defenses are, criminals will just find a different part of your business to attack. The ultimate goal is to get to a point where if your organization is ransomed it’s only a minor setback – you have the safeguards and backups to minimize the blowback. When you’re able to recover without paying then you win. Criminals aim to attack where the ROI is the greatest – if you reduce don’t need to pay then they’re more likely to move on.
In the case of ransomware, minimizing impact means being able to restore your systems to the pre-attack state as quickly and efficiently as possible. Naturally, to do this you need to have backups, but you need more than that if you want a rapid response, especially when you have a mobile workforce. What you need is remote control of the devices and you need remote control tools that will survive a complete, clean slate reinstall of the systems. Surviving a reinstall is crucial because, in an ever-changing world of malware infections, it’s often impossible to be sure that you’ve successfully removed the infection without completely wiping the entire disc. The ability to bounce back in the face of an attack, what IT and Security people call “resilience”, is one of the most effective tools you can deploy to minimize the overall risk from ransomware attacks.
Importance of Forward-Planning
Reducing risk is impossible without a forward-planning, but with a little foresight, healthcare organizations can dramatically reduce the risk from ransomware attacks. The key to this is to balance existing cybersecurity techniques to help prevent attacks with cyber-resilience techniques to help IT teams bounce back. Everyone in healthcare knows that no matter how young and healthy you may be, health insurance is a necessity if you want to get healthy again when illness happens. Cyber-resilience is just the same; if you want to keep your systems healthy you don’t just need to practice good hygiene, you need to ensure that you can get prompt and effective treatment when an infection happens. That way your organization can spend less time and energy keeping PCs healthy and more time keeping the humans healthy!
About Nicko van Someren
Nicko van Someren serves as Chief Technology Officer at Absolute Software, where he oversees the direction and strategic vision of Absolute’s product architecture and security roadmap. He has more than two decades of experience leading, developing and bringing to market disruptive security technologies. Prior to his role at Absolute, Nicko served as Chief Security Officer and Chief Information Officer at nanopay, Inc, a financial services technology company. He has also served as Chief Technology Officer at the Linux Foundation, Good Technology (now a part of BlackBerry) and nCipher (now a part of Entrust Datacard) as well as the Chief Security Architect at Juniper Networks.
Nicko also serves as a board member and advisor for numerous startups and is a mentor for the Techstars accelerator program in Boulder, CO. He has a PhD from the University of Cambridge and fellowships from the Royal Academy of Engineering and British Computer Society.