The first known ransomware attack occurred in 1989 and was targeted at the healthcare industry. The attention and attractiveness of healthcare organizations to ransomware hackers have not waned in the decades since. In fact, attacks are growing by 70-100 percent year over year. In 2023, there were over 460 ransomware attacks impacting U.S. health organizations, making it the most targeted industry.
This year, a major attack delayed prescription fillings and led to cash flow issues at facilities across the country. The American Healthcare Association said that 94% of hospitals have reported financial impact from the incident, with some losing upward of $1 billion per day in revenues.
Legislating Cybersecurity
In response to the latest attack, the Health Care Cybersecurity Improvement Act has been introduced to enable advanced and accelerated payments to be made to healthcare providers in the event of a cyber incident. These payments would only be made to providers that can show that they and their vendors meet defined minimum cyber posture standards determined by the Secretary of Health and Human Services (HHS).
While these standards are being defined, many in Congress are calling for the ability to hold accountable and fine companies that leave themselves open to ransomware attacks. The challenge in this is deciding who is at fault--is it the hospital system or the vendor providing the technology that was compromised? Or is it both?
To Pay or Not to Pay
Given the costs associated with recovering from a ransomware attack and the addition of potential fines, many organizations opt to quickly pay the requested ransom in order to secure their data and get systems back up and running as quickly as possible.
There is considerable debate about the impact paying ransoms has on mitigating the overall threat. Many argue that giving bad actors what they want only encourages the behavior to continue and escalate. On the other side, there is an argument to be made for the negative impact a ban on paying ransom could have on the threat ecosystem.
Banning payments could bankrupt small and medium-sized businesses that do not have the resources for a long-term battle and recovery of systems and data. A ban could also encourage attacks on larger, critical infrastructure by bad actors seeking not just money but focused on causing the most damage possible.
HHS has not taken an official stand on the banning of ransomware payments. The Biden administration as a whole has discouraged payments, signing onto an international alliance agreement and discouraging payments as part of general cybersecurity guidance.
Getting Ahead of Ransomware
While policy around cybersecurity standards and payment guidance is debated, the government is helping the healthcare industry take steps to better secure their IT infrastructure. This includes facilitating improved information sharing about threats and vulnerabilities between the public and private sectors.
The Cybersecurity and Infrastructure Security Agency (CISA) plans to fully launch an automated vulnerability warning program to alert organizations that are running software with vulnerabilities being exploited by ransomware gangs. Currently in a pilot, this program aims to reduce the number of ransomware attacks by getting the owners and operators of vulnerable systems to patch them before they can be infiltrated. The agency has issued 2,049 warnings since the pilot was launched just over a year ago.
To stay up to date on the ways the healthcare industry is working to mitigate the ransomware threat, check out these resources from GovEvents and GovWhitePapers.
- Securing Our Nation: Insights from DHS (May 14, 2024; webcast) - The U.S. Department of Homeland Security is at the forefront of the public sector's security operations, defending the country's cyber infrastructure, customs, and transportation from internal and external threats. This event is an engaging discussion with a DHS executive to learn more about the agency's valuable duties, missions, and goals.
- Ransomware Summit Solutions Track 2024 (May 31, 2024; webcast) - This session will examine how ransomware actors find success, where they get in, and why organizations are still paying. It will also detail how to change for the better, including human education and training and advanced, AI-based preventive mechanisms.
- Health Innovation Summit 2024 (June 6, 2024; Reston, VA) - The healthcare ecosystem is experiencing repeated issues with intrusion, privacy, and security. The focus of this year's Summit will be new healthcare technologies, innovative products and tools, the use of AI in various components of the healthcare system, partnerships and collaboration to improve the health ecosystem, and much more.
- Ransomware Risk Management (NIST 8374) (September 30, 2024; webcast) - This training is designed to equip participants with the knowledge and skills needed to effectively manage ransomware risks within their organizations.
- Avoiding Ransomware Checkmate (white paper) - Stopping hackers before they gain access to your systems isn't always possible, but with the right tools, you can halt them in the midgame before they can make ransom demands. Learn how network detection and response (NDR) solutions can help detect suspicious activity before it's too late and how strategic decryption can give clear visibility into network activity, so you can identify and respond to malicious activity quickly and strategically.
- 10 Steps to Prepare for a Ransomware Attack (white paper) - Discover key activities and planning needed to mitigate the risk of and damage from a ransomware attack.
- #StopRansomware Guide (white paper) - Ransomware and associated data breach incidents can severely impact business processes by leaving organizations unable to access the necessary data to operate and deliver mission-critical services. This guide from the U.S. Joint Ransomware Task Force provides guidance on protecting networks from attack.
Find more ransomware resources check out GovEvents and GovWhitePapers.