Apr 30, 2024 - Technology

Healthcare is now a prime target for ransomware hackers

Illustration of a red cross floating in water in a downpour

Illustration: Sarah Grillo/Axios

The number of ransomware attacks on health care organizations continued to rise last year — prompting heightened attention from Capitol Hill this week.

Why it matters: Emergency rooms diverted ambulances, pharmacies delayed filling patients' prescriptions, and a Chicago children's hospital had to reschedule various procedures, all due to ransomware in the last year.

Driving the news: UnitedHealth CEO Andrew Witty is scheduled to testify before both a Senate and a House committee Wednesday over the company's response to an attack on medical payment processor Change Healthcare.

  • Senate Finance Chair Ron Wyden (D-Ore.) plans to focus his questions on why UnitedHealth was "so poorly prepared" for a ransomware attack and will be listening for ways to inform the committee's work on health cybersecurity issues, a Wyden spokesperson told Axios.
  • Witty is expected to apologize for the impact the monthslong attack has had on patients and health care providers, according to prepared testimony.

The big picture: Health care was one of five sectors that reported an increase in the number of ransomware attacks, according to a report from Sophos released Tuesday.

  • 67% of health care organizations reported facing a ransomware attack last year, up from 60% in 2022.

Between the lines: Health care organizations are often constrained by legacy systems, IT budgets and a need to prioritize patient care over cybersecurity, John Shier, a field CTO at Sophos, told Axios.

  • "In a lot of care scenarios, you need to have very quick access to information, which means that things like multifactor authentication and really long, complex passwords are not something that you're necessarily going to put in the way, especially in urgent care scenarios," Shier said.
  • However, that lack of complex passwords or MFA makes it easier for hackers to gain access to sensitive systems.

Zoom out: Many ransomware gangs have recently ditched policies they once had against targeting critical services, including hospitals.

  • For years, Russia-based gangs typically barred their freelancers from targeting certain sectors to avoid diplomatic fallout with Western nations, Shier said.
  • However, the calculus of those policies has changed as the relationship between the Russian government and the West has disintegrated during the war in Ukraine.
  • "It would seem like a lot of the things that were holding back the ransomware gangs, that sense isn't there anymore," Shier said.

By the numbers: In 95% of attacks on health care organizations, ransomware hackers attempted to damage data backups to force the organizations to pay a ransom.

  • And 66% of those attempts were successful, per the Sophos report.

The intrigue: The health care industry (along with higher and lower education) is less likely to negotiate ransom payments and more likely to pay more to hackers.

  • On average, health care firms paid 111% of the total amount that the ransomware gangs originally asked for, according to Sophos' new survey.
  • UnitedHealth confirmed last week that it had paid a ransom to the attackers to prevent a broader data leak.
  • It's unclear which hacking group UnitedHealth made the payment to and how much it paid: Both the BlackCat and the RansomHub gangs have demanded payments.
  • Wired reported that Change Healthcare sent $22 million last month to a bitcoin address associated with BlackCat.

Yes, but: Ransomware attacks on health care organizations were less likely to result in data theft last year, according to the Sophos data.

  • Hackers stole data in 22% of attacks on health care institutions, compared with 53% of attacks on IT and telecom organizations.

What's next: Lawmakers have been eyeing new legislation to incentivize health care organizations to upgrade their cybersecurity and help them respond to attacks.

  • Senate Intelligence Chair Mark Warner (D-Va.) introduced a bill last month that would give providers access to government funds following an incident, as long as they meet minimum standards.
Go deeper