How much are you willing to pay to get your personal data back? How about hundreds and thousands of personal data records stored in your company? The impacts of the global pandemic have put the healthcare industry at the top of the list for ransomware threats.  In fact, healthcare cyberattacks doubled in 2020, with 28% tied to ransomware

And the truth is, ransomware is one of the most aggressive and damaging forms of cyber-attacks. Not to mention, the threat itself is very adaptable - it’s accessible, it evolves fast, and it scales well - a ransomware gang’s dream to access an abundance of easy money.  

The prevalence of the rise in ransomware is well-documented:  

In a Chainalysis Report, the study found a 311% increase, year over year, to the end of 2020 in the number of actual ransomware attacks.  

A study from Deep Instinct finds that malware increased by 358% in 2020. 

Amidst this rise in ransomware, attackers are increasingly turning their focus to healthcare institutions. In an IBM X-Force report, Cyberattacks on healthcare more than doubled in 2020, with ransomware accounting for 28% of all attacks. So, despite the strong defenses that attackers would have to face, when life-or-death becomes leverage, the cost of a ransomware attack on healthcare institutions is more than just the demanded ransom amount.  


Why Ransomware Attacks are Directed at Healthcare Institutions 

Like many businesses, healthcare institutions were not prepared for a global pandemic. With scarce resources, coupled with intense pressure to treat the onslaught of sick patients, ransomware gangs saw a unique opportunity within the healthcare sector. Why?

  • PII / Sensitive Data: The healthcare industry holds a ton of personally identifiable information – from home addresses, phone numbers, credit card numbers, to social security numbers - making it one of the most attractive targets for ransomware attacks.  
  • Geopolitics: Given that many ransomware gangs come from Eastern Europe and Russia, they often do not attack one anotherWith geopolitical tension rising between the U.S. and Russia, the Russian government put out an edict to target U.S. healthcare institutions earlier in 2020, painting an even bigger target on the backs of U.S. healthcare institutions. 
  • Poor Security Infrastructure, Controls, and Processes:  First and foremost, the mission of healthcare providers is to treat and protect patients. That said, hospitals are businesses... so cybersecurity often gets branded as “just another cost center,” which delays the modernization of outdated systems, investment in enhanced controls that protect patient and hospital data, and the consistent enforcement of cybersecurity controls and protocols. In short, when it comes to systems and data, a good number of healthcare organizations are behind from a tech standpoint. 
  • Lack of Incident Response Plan: While many hospitals have begun modernizing the business infrastructure as well as updating procedures and policies to prevent cyber threats like ransomware, many have failed to devise a plan for what happens when they actually get breached. It’s one thing to stay secure as possible, and it’s another to be prepared to sustain business continuity if disrupted.  

Related Reading: The Rise of RaaS Gangs + What You Need to Know 


Cost of Healthcare Ransomware Attacks

According to IBM, nearly one in four of overall cyberattacks last year was ransomware. The increase in data extortion efforts enabled just one of these ransomware gangs, REvil, to make over $123 million in profits in 2020

That said, determining the hard costs of a ransomware attack extends far beyond the ransom ask. The overall cost of an attack includes ransom cost + recovery cost + further HR costs for employees and patient care, as well as many other factors. 

The effects can cause an immense profit loss along with long-term damage to a healthcare organization’s brand reputation.  Knowing that healthcare institutions are a prime target for attackers, it’s important to take action before the threat is at your doorstep.  


How Healthcare Institutions Can Make the Business Case for Ransomware Prevention

When making the case to stakeholders, it’s important to emphasize the risk of inaction and frame it in the context of the overall business. Start by outlining defining the stakes for your organization: 

  1. Patient Safety Risk → As in the University of Vermont Health Network Attack, the magnitude of the impact was frightening. Ambulances were rerouted, cancer patients' radiation treatments were delayed, medical records were rendered temporarily inaccessible, and, in some cases, permanently lost. In another attack that occurred in September of 2020, delays caused by ransomware resulted in the death of one patient under critical care. the best-case scenario, disruptions caused by ransomware are inconvenient and expensive. When placed in a high-stakes context like a hospital, the disruptions become life-threatening. 

  1. Financial Risk → In a 2021 ransomware report, the study found that businesses lose around $8,500 per hour, due to ransomware-induced downtime. Aside from the ransom ask itself, the financial risk multiplies via operational downtime, potential HIPAA penalties, and other factors. It raises an important question: If you are ransomed, will you have the funds to survive it? 

  1. Brand / Marketing Risk → With today’s threats directly impacting the patients, the reliability of your systems still operating during an attack directly affects patient trust - everything from patient records to the technology used to save lives would be threatened by an attack. Can the organization afford to take that kind of reputational hit? How will the hospital’s “brand” recover from this incident and gain the loyalty and trust of our existing + potential patients again?  

  1. Operational Risk → Does the organization have the capability to sustain business continuity while under attack? These attacks can absolutely cripple a clinic’s systems. For another health system, attackers held electronic health records (EHR) ransom, forcing the health system to use EHR downtime procedures and rendering its patient portal, EHR, and lab results inaccessible to the majority of its care sites for well over a month. 

Once you define these risks, it’s important to then frame the benefits: 

  1. Financial Benefits → Reduced risk of incredible financial loss. 

  1. Brand / Marketing Benefits → Patients can trust your institution with their PII, as well as their healthcare. It never hurts to be seen as reliable and prepared - especially in a space that often handles matters of life and death. 

  1. Operational Benefits →  Having strong defenses in place and an even stronger incident response plan as a backup means business continuity. The faster the ransomware is contained and remediated, the faster the organization can get back on its feet again.  


What Healthcare Institutions Can Do to Mitigate the Impact of Ransomware  

With ransomware on a continued rise in the healthcare industry and showing no signs of slowing down, healthcare providers and organizations have expanded the effort to stay protected through third-party tools and partners.  

Because healthcare institutions, as well as the associated third-party tools and partners, have a massive digital footprint, safeguarding against ransomware is no easy task.  

Mitigating ransomware starts with viewing the cybersecurity situation holistically. To build resilience, your organization must be prepared to continue operations and have a plan with critical elements to minimize the impact of a ransomware incident. Here are some of the best mitigation practices to implement, broken down into two categories:  

  1. Addressing Technology Factors 

  1. Addressing the human factor 


Healthcare Ransomware Prevention: Addressing Technology Factors 

In a 2016 survey by SentinelOne, 70% of respondents had to increase IT spending, 65% changed their cybersecurity strategies. 52% said they had lost faith in anti-virus solutions. And as we move into 2021, those percentages have only increased. 

  • EDR + Visibility of Security Analytics --> Endpoint detection and response (EDR) is a form of security software that monitors end-user hardware devices across a network for a variety of suspicious activities and actions, automatically blocking threats and saving forensics data for further investigation. An EDR platform integrates deep visibility into all that happens on an endpoint system — processes, changes to DLLs and registry settings, file and network behavior — with data aggregation and analytics capabilities that enable threats to be identified and countered by either automated or human processes.
  • Data Back-Ups → Create backups of critical systems and house the backups offline from the network. This step is critical, as some of the new Ransomware looks for backups and backup routines to disable them before launching the attack. At that point, the business’ only recourse is to have disconnected, offline backups – which are often not up to date.  
  • Patch Systems → Patching operating systems, software, and firmware as soon as manufacturers release updates is vital. 
  • Disable Unused Devices → Unattended devices leave an opening for attackers, so any unnecessary communications equipment, especially any that are remote, should be disabled/unplugged. 
  • Password Protection → Password cracking is one common way that leads to privilege escalation, then to pure chaos. Implementing a “strong password” policy, requiring regular changes to passwords, and never using the same password for multiple accounts may not be convenient,  but it is absolutely necessary.  
  • Consistent Authentication → Ensure that user identity, authentication, and authorization are consistent. 
  • Stronger Security + Access Controls → Enable multi-factor authentication (MFA), deploy CAC, Smart Card, or biometric authentication in addition to secure passwords

Related Reading: 5 Ways to Prevent Ransomware


Healthcare Ransomware Prevention: Addressing Human Factors 

54% of healthcare associates say their biggest problem is employee negligence in the handling of patient information according to a Ponemon study

  • Training + Awareness Programs → Make employee training on cybersecurity basics a part of your operations on top of providing regular training and access to professional courses to your IT staff. 
  • Check Cyber Insurance → If your organization chooses to have cyber insurance, check the ransomware policy and get a clear understanding of the scope and requirements that the policy provides. By understanding the full capabilities of the insurance plan, your organization also acknowledges the level of risk you’re willing to take on.   
  • Phishing Attack Tests → Deploy simulated phishing attacks (widely available as free online services) that test unsuspecting employees and generate reports on who opens malicious emails, how fast, and what it can mean for your organization if the attack was real. 

Related Reading: Threat Focus: What Is Ransomware-as-a-Service? 


How Avertium can help healthcare institutions detect and mitigate ransomware. 

Being susceptible to ransomware threats is something that healthcare institutions can’t stop, but with the proper controls in place, you can minimize and manage the attack surface to stop most attacks before they start. There are no guarantees that every attack will be stopped, so it’s important to have a remediation plan in place for that worst-case scenario.  

However, if this hits the fan, focus on mitigation prevention:

  1. Coverage and Visibility are critical as users constantly interact with applications, data, and resources throughout the course of normal day-to-day operations within healthcare institutions.  
  2. Network Segmentation stops an infection at patient 0 by containing the threat and preventing lateral movement. Without lateral movement – the number one goal of most ransomware attacks - hospitals can effectively squash ransomware before it spreads.  
  3. Continuous Monitoring results in rapid ransomware detection and responses. To have a holistic view of the security situation, it’s essential to maintain continuous visibility of user authentication and authorizations. Continuous monitoring can also detect preattack behaviors that can be acted on before the attack takes place. With next-generation monitoring platforms built-in AI, these patterns can be elevated to analysts for action before they become a problem.

And containment:  

  • Zero Trust Network Architecture: As a key component of Avertium’s rigorous approach to providing Fusion MXDR, ZTNA gives our customers more visibility into data across networks, the cloud, endpoints, and applications. 
  • Digital Forensics and Incident Response: Provided as an on-demand crisis response service as well as a retainer-based program, Avertium’s Digital Forensics and Incident Response (DFIR) helps you to rapidly assess, contain, eradicate, and recover from a security incident to minimize impact and return you to normal operations. 


Ransomware gangs understand the current challenges faced by organizations facing work from anywhere challenges and a collapsed perimeter, and they view this as a segue into extorting data. The time it takes to detect, contain, and respond is very challenging in an unprepared company.  

 Having a higher level of visibility shines a spotlight on unauthorized users faster, allowing for enhanced containment and stronger, more timely incident response. Avertium’s team of industry experts can help you implement cutting-edge monitoring and detection technology (EDR) to meet the challenges of today, and prevent the threats of tomorrow. 

Download our eBook: Leveraging ZTNA to Contain + Combat Ransomware


Chat With One of Our Experts

Tips & Tools ransomware Incident Response healthcare Managed Security Healthcare risk Blog