In the digital practice — where sensitive business and patient information is stored electronically — ransomware is one of the most devastating forms of malware. It works by encrypting or blocking access to sensitive files and demanding payment to restore access.1 The loss to a healthcare practice — and its patients if medical records access is blocked — could be devastating. If the attack is successful, it is nearly impossible to recover the data without paying the ransom.
In 2023, the FBI’s Internet Crime Complaint Center (IC3) reported receiving 1,193 complaints of ransomware attacks from organizations in a critical infrastructure sector.2 The healthcare and public health sector accounted for 249 of those attacks — 21% of the total and the largest share of any sector.2
Adding to the difficulty for HIPAA-covered entities and business associates, a ransomware attack on electronic protected health information (PHI) that is encrypted and controlled by the attacker is presumed to be a breach under the HIPAA Breach Notification Rule.3 For organizations not covered by HIPAA, it could be considered a security breach under the FTC’s Health Breach Notification Rule.4
Ransomware Costs In Healthcare Go Beyond the Financial
A cyberattack on a healthcare organization can be disruptive and costly. The average total cost for the most expensive cyberattack on healthcare organizations surveyed in a 2023 Ponemon Institute study was $5M, while the average of the costliest ransoms paid was estimated at nearly $1M.5 Unfortunately, paying the ransom does not guarantee restoration of access. The ransomware attack on Change Healthcare in February 2024 reportedly resulted in a $22M ransom payment but the affiliate holding the data refused to release it claiming that he didn’t receive his share of the ransom.6
While these costs are significant, attacks that block access to medical records or essential patient care services could also put patient safety at risk. The Ponemon study found that disruption to normal healthcare operations was the single biggest cost of an attack averaging 27% of the total cost.5 Of the organizations surveyed in the study, 68% of organizations experiencing a ransomware attack said the attack impacted patient safety and care, including:5
- 28% reported an increase in mortality rate
- 59% reported delays in procedures and tests have resulted in poor outcomes
- 44% reported an increase in complications from medical procedures
- 48% reported longer length of stay
- 46% reported an increase in patients transferred or diverted to other facilities
Employee Security Awareness is Essential
Ransomware attacks often begin when unwitting individuals are induced through phishing emails or social engineering to click on malicious links that infect their computers.7 While IT staff can deploy measures to protect systems from attack (such as anti-virus software, spam filters, and ad blockers), employees using company computers to access sensitive data are a critical part of any security effort.
All employees should learn ways to avoid these attacks. The following tips can help. They may even be part of the employee handbook or company policies. If you are suspicious of a potential attack, contact your IT staff:
- Do not access company information (such as documents or email) on unauthorized devices. Check with IT staff before using your personal mobile devices or computers for business.
- Be wary of unexpected emails with attachments or links, even if they appear to be from someone you know. Criminal hackers can disguise email addresses and other information in subtle ways to avoid detection.8 If you are not expecting a file or link from someone, call or text the sender to verify the email or contact IT.
- Do not install unauthorized software, including applications, toolbars, or extensions. Malware often poses as legitimate programs like games, tools, and even antivirus software. Check with IT before installing anything.
- Do not respond to emails requesting passwords or confidential information. Bank and credit card providers will never ask for your account number, Social Security number, or passwords through email.9 Bad guys are successful because they are convincing, and neither IT staff nor legitimate businesses should ever ask for your password. Report any suspicious requests to IT.
With these simple precautions, employees can go from being an easy point of attack to the first line of defense in securing the digital practice.
References
1. Federal Bureau of Investigation. “Ransomware.” Undated.
2. Internet Crime Complaint Center (IC3). 2023 Internet Crime Report. Federal Bureau of Investigation. (PDF)
3. Office for Civil Rights. “Fact Sheet: Ransomware and HIPAA.” U.S. Department of Health and Human Services. Content last reviewed September 20, 2021.
4. Cybersecurity and Infrastructure Security Agency. “#StopRansomware Guide.” Undated.
5. Ponemon Institute. “Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care 2023.” (PDF)
6. Brian Krebs. “BlackCat Ransomware Group Implodes After Apparent $22M Payment by Change Healthcare.” Krebs on Security. March 5, 2024.
7. Kurt Baker. “What Is Ransomware?” CrowdStrike. January 30, 2023.
8. Federal Bureau of Investigation. “Spoofing and Phishing.” Undated.
9. Clare Stouffer. “What Is Phishing? + How to Spot and Avoid It.” Norton Blog. September 12, 2023.