2020 offered a 'perfect storm' for cybercriminals with ransomware attacks costing the industry $21B

Ransomware attacks cost the healthcare industry $20.8 billion in downtime in 2020, which is double the number from 2019, according to an annual report by Comparitech, a company that reviews technology products.

The Comparitech report found that 92 individual ransomware attacks occurred at healthcare organizations, and 600 clinics, hospitals and organizations were affected. In addition, more than 18 million patient records were impacted by these ransomware attacks, a 470% increase from 2019, the report revealed.

In fact, 2020 brought the most ransomware attacks on healthcare providers in the past five years, according to Paul Bischoff, editor of Comparitech. Hackers collected more than $2.1 million in ransom payments.

Ransomware threats increase amid COVID-19

In 2020, the number of ransomware attempts against the healthcare industry rose by 123%, according to the 2021 SonicWall Cyber Threat Report. The COVID-19 pandemic was a particularly serious time for the industry when the healthcare sector could not afford downtime due to cybersecurity attacks.

RELATED: Inova Health System latest hospital impacted by ransomware attack on software vendor

“2020 offered a perfect storm for cybercriminals and a critical tipping point for the cyber arms race,” Bill Conner, president and CEO of network security hardware vendor SonicWall, said in a statement. “The pandemic—along with remote work, a charged political climate, record prices of cryptocurrency, and threat actors weaponizing cloud storage and tools—drove the effectiveness and volume of cyberattacks to new highs.”

Both Comparitech and SonicWall found double extortion attacks against the healthcare industry to be a key strategy among bad actors. In a double extortion attempt, hackers steal the data and save copies in their own storage. Then they encrypt the data to prevent access, according to Bischoff.

“The hackers can then extort the victim for the decryption key and to keep the data off of the dark web,” Bischoff told Fierce Healthcare.

Dmitriy Ayrapetov, vice president of platform architecture at SonicWall, notes cybercriminals are more likely to collect ransom payments when using double extortion attacks.

“In a double extortion attack, sensitive data is first exfiltrated, raising the threat that the stolen data will be leaked publicly to create regulatory, or legal, problems for the victim,” Ayrapetov told Fierce Healthcare.

Hackers have targeted data around COVID-19 vaccine research and its supply chain, according to Ayrapetov.

“There have been threats specifically targeting COVID-19 vaccine research, as well as the upstream and downstream supply chains of its development,” Ayrapetov said. “This attack vector may continue for the foreseeable future as data around COVID-19 vaccine research and distribution may provide valuable insights at a nation-state or corporate espionage level.”

RELATED: Hospitals hit with ransomware attacks as FBI warns of escalating threat to healthcare

Healthcare industry vulnerable to cyberattacks

Healthcare organizations are easy targets for ransomware attacks because they cannot afford to lose access to patient records, Bischoff explained. Avoiding downtime is critical.

“Oftentimes hospitals can't go long without patient data [because that would] put patient health at risk,” Bischoff said. “They are more likely to pay ransoms in a timely manner.”

Both Comparitech and SonicWall found outdated infrastructure leaves healthcare organizations vulnerable to attack. Bischoff noted that hospitals have antiquated IT infrastructure and cybersecurity systems compared with other industries.

“Outdated systems tend to be more vulnerable to attack,” Bischoff said.

SonicWall also found the legacy systems of healthcare organizations are difficult to maintain and protect. The complex healthcare systems are “overburdened and reliant upon legacy systems that require specialized staff to maintain,” Ayrapetov said.

There has been increased attack focus on legacy or consumer-grade routers and internet-connected devices that may be deployed at the extended medical staff’s homes as they continue remote work, he said.

Organizations suffering from ransom attacks included Beacon Health Solutions, a health benefits and claims administration solutions provider in Tampa, Florida; Wilmington Surgical Associates, an advanced surgical care practice in Wilmington, North Carolina; and Riverside Community Care, a behavioral health and human services company in Dedham, Florida, Comparitech reported.

The Comparitech report also cited a ransomware attack against cloud software provider Blackbaud as seriously affecting the healthcare industry. Hundreds of healthcare organizations use Blackbaud software, Bischoff noted.

“A ransomware attack on the company impacted about 100 organizations using Blackbaud software and more than 12.3 million patient records,” Bischoff said.

RELATED: UHS breach shows the dangers facing hospitals with growing ransomware threats

How to protect against ransomware threats

To combat ransomware threats, healthcare organizations must ramp up training, Bischoff noted.

“Staff need to be trained to spot and avoid phishing and brush up on basic digital hygiene,” Bischoff said. “Hospital systems need to be hardened and backed up regularly so they can be quickly restored in the event of a ransomware attack.”

To protect against ransomware and other cybersecurity risks, companies should deploy machine learning and advanced threat protection-enabled endpoint protection, Ayrapetov advised. He also recommends adhering to zero trust principles, which consist of the motto “never trust, always verify.” It involves granting the least access necessary to perform a job.

“When granting a remote employee VPN access, limit their access to a single resource or machine that they need—not the entire network with a full VPN tunnel—something that we continue to see,” Ayrapetov said.

Another key strategy to protect networks is multifactor authentication, in which users authenticate their identity in multiple ways such as using security tokens, an authenticator app or getting a code sent through a text message or email.