Most Healthcare Organizations Expect to Be Ransomware Targets

June 25, 2021 - A recent survey published by IT security company Sophos reveals that 63 percent of healthcare organizations that weren’t impacted by ransomware last year expect to be the target of a ransomware attack in the future. Approximately a third of surveyed healthcare organizations were impacted by ransomware in the last year alone.

Despite the fact that 560 healthcare providers experienced a ransomware attack in 2020, the survey found that the number of attacks on the healthcare sector fell below the global average across all sectors. Retail and education sectors experienced the most ransomware attacks with 44 percent of survey respondents being impacted, compared to the 37 percent global average.

The survey noted that “many attackers have moved from larger scale, generic, automated attacks to more targeted attacks that include human-operated, hands-on-keyboard hacking. While the overall number of attacks is lower, our experience shows that the potential for damage from these targeted attacks is much higher.”

Results revealed that the healthcare sector appears to be less equipped to stop ransomware attacks than other sectors. Attackers succeeded at encrypting healthcare data 65 percent of the time compared to the global average of 54 percent. Globally, an average of 39 percent of organizations succeeded at stopping the attack before data could be encrypted, but only 28 percent of healthcare organizations were able to stop the attack in time.

Meanwhile, 44 percent of healthcare organizations with encrypted data were able to restore data using backup systems. This percentage is significantly lower than the global average of 57 percent. The healthcare and local government sectors were significantly less likely to back up their data despite being in possession of extremely valuable personal data. 

About a third of surveyed healthcare organizations admitted to paying the ransom. But as the survey explained, “what attackers omit when issuing ransom demands is that even if you pay, your chances of getting all your data back are slim. On average, organizations that paid the ransom got back just 65 [percent] of their data, leaving over a third inaccessible.”

Healthcare organizations that paid the ransom only got an average of 69 percent of their data back, and the rest remained inaccessible. The average ransomware recovery costs amounted to $1.27 million for the healthcare industry, which was the lowest amount among all surveyed sectors.

However, this finding is likely due to the fact that most survey respondents came from small or mid-sized organizations. Larger healthcare organizations have been hit with millions more in recovery costs.

Of the 63 percent of healthcare organizations that were not targeted by ransomware last year but expect to be in the future, 57 percent explained that their reasoning is because other organizations in the industry have been targeted. Other concerns include the growing sophistication of attackers and known weaknesses in security.

Of respondents who do not expect to be the target of an attack, most say it is because they are confident that their organization’s trained IT staff have the skills to stop an attack, and many also put trust into anti-ransomware technology.

The survey recommends that organizations develop a malware incident recovery plan and found that 89 percent of healthcare organizations have one in place already. An additional 40 percent were in the process of developing a plan at the time survey data was collected.

Considering the survey responses, Sophos recommends that healthcare organizations assume they will be attacked and plan accordingly. They recommend using anti-ransomware technology combined with human experts and deploying layered protection to block attackers from all access points.