In recent years, a slew of ransomware infections has forced health care organizations across the U.S. to confront their security weaknesses. The fact that the file-locking malware can disrupt medical services or compromise sensitive patient data has brought urgency to the struggle.
Yet largely missing from the equation has been a reliable and thorough set of public data on health care ransomware incidents that tracks things like payouts, the number of victims, and strains of malware.
On Wednesday, Allan Liska, a ransomware connoisseur and threat intelligence analyst at cybersecurity company Recorded Future, took a stab at filling the void by releasing data on ransomware incidents over the last three and half years.
Some of Liska’s findings, which he shared exclusively with CyberScoop, surprised him. From 2016 through 2018, for example, the number of documented ransomware incidents in the health care sector stayed relatively flat at around 30 per year, fewer than he expected.
“There is this incentive to minimize the impact of a ransomware attack if you can credibly say, ‘No patient data were interrupted, and so therefore we don’t have to report anything,’” Liska argued.
The lack of a dip in incidents over the years tells its own story. Given the attention the issue has gotten, “there was this assumption that health care providers are investing a lot of money in ways to protect against ransomware, so those attacks should be dropping. But that doesn’t appear to be the case,” Liska said.
There are likely many other incidents, according to experts, that just haven’t surfaced publicly as victims quietly pay off the attacker or determine that the episode doesn’t meet a legal reporting threshold. Liska hopes his dataset, culled from news reports and a Department of Health and Human Services’ (HHS) public database, encourages others to come forward with their own insights. The goal is to lift the curtain on a sector where the sensitivity of patient data complicates cyberthreat sharing.
The research challenges conventional wisdom in other ways. Many assume, for example, that health care organizations are more willing to pay hackers to recover their data given the sensitive data at stake. But only 15 percent of the incidents studied by Liska had a confirmed payout, while 61 percent of victims did not cough up money. After some high-profile payouts early in the dataset, organizations may be getting more adept at dealing with the infections, according to Liska.
Searching for solutions
But more data is needed to tell the full story of ransom payments in the sector. Behind closed doors, organizations can be more forthright about their experiences. At a ransomware exercise held last week for members of the Association of Academic Health Centers (AAHC), a nonprofit made up of universities with big medical facilities, some of the organizations represented said they had been hit by ransomware and paid the hackers off, according to Beau Woods, a cyber safety innovation fellow at the Atlantic Council think tank, who attended the exercise. For health care providers, protecting patient safety trumps all. If that means paying to get data back, so be it.
Woods said the dearth of data on ransomware incidents was one of the takeaways from the tabletop exercise.
“There’s a lack of information out there, even available to these folks,” said Woods, who helps organize the annual Biohacking Village at DEF CON. “Basically everyone in the room, their takeaway was, ‘We really need to sit down with our IT teams and see how they’re prepared to deal with ransomware.’ ”
In the exercise scenario, according to Woods, ransomware had spread from a research facility at a university to a medical center, raising the stakes. When that happened, he said, participants put all their energy into limiting the risk to patients, an indication of how seriously the industry is taking ransomware.
Of course, it’s not just large medical facilities that need to be preparing for ransomware. According to Liska’s data, health care organizations of all sizes have suffered ransomware infections, from a health clinic in rural Missouri to a medical-testing giant with 60,000 employees worldwide.
Recent days have made clear that the dataset will have to be continually updated. On Tuesday, the largest hospital system in west Alabama revealed it had be infected with ransomware, forcing it to turn away patients who aren’t deemed critical. Earlier this month, a Southern California clinic said it would shut down permanently after ransomware hit its servers in August.