As we approach the end of the year, data breaches and ransomware in the healthcare sector continue to be a major concern for the US and other nations across the globe. The sector is particularly attractive to cybercriminals because it cannot afford downtime or lack of service availability, and IT resources are often limited. There are huge numbers of connected devices in each institution, and cybersecurity, until now, has not being as tightly regulated as in other critical infrastructure sectors.
Data Breach and Ransomware Patterns in the Healthcare Sector
Since 2011, data breaches in the healthcare sector have been the costliest among all sectors. In 2024, the average cost of a data breach in the sector was USD $9.77 million – almost double the global average cost of a data breach ($4.88 million).
According to the 2024 State of Ransomware Report, 67 percent of healthcare organizations, globally, were targeted by ransomware between 2023 and 2024. Top root causes were vulnerability exploitation (34%) and compromised credentials (34%).
The average ransom demanded in the sector is USD $4.91 million, but the top ransom amounts can go much higher.
In February 2024, a ransomware attack by BlackCat/ALPHV on Change Healthcare in the US sent shockwaves across the industry, with the organization choosing to pay $22 million to recover lost data.
Change Healthcare and other Ransomware Attacks in the US
In June, we published a blog post talking about some of the repercussions of the Change Healthcare attack, ways to build cyber resilience in healthcare institutions, and the need for collective defense.
Six months on, Change Healthcare has still not recovered completely from the ransomware incident, and the list of attacks targeting the sector overall has grown longer.
In this post, we take a look at the fallout of the attack, new legislation in the offing, and security agencies’ advisories to support IT and security teams defending against ransomware.
Until December 16 this year, 561 healthcare data breaches affecting more than 500 records had been reported to the US Office of Civil Rights (OCR). Thirty of these breaches affected at least half a million individuals, with the Change Healthcare (100 million), Kaiser Foundation (13.4 million) and HealthEquity, Inc., (4.3 million) breaches topping the list.
In the middle of November 2024, Change Healthcare posted an update on its website confirming the restoration of its clearinghouse services. The update came nine months after the organization was attacked by the BlackCat/ALPHV ransomware gang, compromising 100 million healthcare records. UnitedHealth (Change Healthcare’s parent company) ended up paying a ransom of $22 million to the perpetrators after the February attack, and according to its Q3 2024 earnings report, the incident and remediation efforts had cost the company $2 billion by the end of September 2024. The attack was made possible due to stolen employee credentials that attackers used to access a Citrix portal that did not have MFA enabled – something that could have been easily prevented with a few essential security controls in place.
Ransomware Mitigation Advisories
Following this and other attacks on the healthcare sector, the FBI, CISA and the HHS updated their joint cybersecurity advisory with the IOCs and TTPs associated with the ALPHV BlackCat ransomware on February 27, 2024.
Two other important healthcare-related cybersecurity advisories published or updated this year are the Black Basta advisory, first published in May and revised in November 2024; and the Ransomhub ransomware advisory published in August 2024.
Here are the top ransomware-mitigation recommendations included in the advisories:
- Routinely take inventory of assets and data to identify authorized and unauthorized devices and software.
- Prioritize remediation of known exploited vulnerabilities.
- Enable and enforce multifactor authentication with strong passwords.
- Close unused ports and remove applications not deemed necessary for day-to-day operations.
- Install updates for operating systems, software, and firmware as soon as they are released.
- Train users to recognize and report phishing attempts.
Health Infrastructure Security and Accountability Act (HISAA)
Another longer-term outcome of the Change healthcare ransomware attack and the slew of other cyber incidents in the sector was the introduction of a new bill in September to tighten cybersecurity practices in healthcare organizations in the US, with stricter penalties for noncompliance. If passed, the Health Infrastructure Security and Accountability Act (HISAA) will mandate stronger security and risk assessment programs for HIPAA-covered entities and impose civil penalties ranging from $500 to more than $250,000.
The law will require regular security risk assessments, incident response plans, and third-party audits and covered entities and business associates would need to submit annual compliance reports to HHS.
Additionally, Medicare cybersecurity grants will provide 800 million in up-front investment payments over two years for 2,000 rural and urban safety-net hospitals to adopt essential cybersecurity standards. Hospitals will also be incentivized to adopt enhanced cybersecurity practices.
Overall, the legislation seeks to improve the security posture of the healthcare industry, protect patient privacy, and mitigate the risks associated with cyberattacks.
Joint UN Statement
In November, a join UN statement was issued by over 50 countries expressing concern over “the frequency, scale, and severity of ransomware attacks against critical infrastructure, in particular hospitals and other healthcare facilities.” The statement called on all UN Member States to work together to confront and disrupt the ransomware threat and “not knowingly allow their territory to be used for internationally wrongful acts using Information and Communications Technologies (ICTs), which could include acts by ransomware actors operating within their jurisdiction.”
In the coming year, we can expect heightened law enforcement action against cybercrime actors targeting healthcare, more joint initiatives and increased legislation. All this, however, may still not be enough to keep attacks at bay and stop the targeting of healthcare providers, clearinghouses and vendors. Healthcare institutions and adjacent services need to prioritize a strong security posture, effective data protection measures, and awareness-building to prevent and mitigate the impact of ransomware.
Cost-Effective Cybersecurity for Healthcare SMEs
For smaller, resource-constrained providers, implementing essential security controls need not be ultra-expensive and beyond budget. Even basic risk reduction initiatives such as those included in the CIS Controls Implementation Group 1 can go a long way towards keeping PHI and PII secure. Small medical practitioners, dental offices and healthcare organizations without the requisite security expertise can consider outsourcing data protection to MSPs and MSSPs focused on small businesses.
To build a cybersecurity program that implements multiple essential risk reduction measures while keeping operating costs low, look at unified and industry-vetted security platforms like CYRISMA. CYRISMA brings together a range of essential risk reduction and compliance tools in ONE affordably priced platform to help MSPs, MSSPs and organizations reduce cyber risk in a cost-effective manner. In addition to vulnerability management, data discovery and secure configuration scanning, CYRISMA also includes HIPAA compliance and enables healthcare organizations to get closer to meeting all requirements.