According to a new Sophos report, State of Ransomware in Healthcare 2022, twice as many healthcare organizations paid the ransom in 2021 vs 2020. Though they paid the ransom, only 2% got all of their data back. Interviews with 381 it enterprises in 31 countries revealed the following:
- Ransomware attacks on healthcare almost doubled – 66% of healthcare organizations surveyed were hit by ransomware in 2021, up from 34% in 2020
- Healthcare is most likely to pay the ransom, ranking first with 61% of organizations paying the ransom to get encrypted data back, compared with the global average of 46%; this is almost double than 34% who paid the ransom in 2020
- Healthcare pays the least ransom amount – US$197K was the ransom amount paid by healthcare in 2021 compared with the global average of US$812K
- Less data is recovered after paying the ransom – healthcare organizations that paid the ransom got back only 65% of their data in 2021, down from 69% in 2020; furthermore, only 2% of those that paid the ransom in 2021 got ALL their data back, down from 8% in 2020
- High incident cost – healthcare ranked second highest at US$1.85M in terms of the average cost to rectify ransomware attacks compared with the global average of US $1.40M
- Long recovery time from ransomware attacks – 44% of healthcare organizations that suffered an attack in the last year took up to a week to recover from the most significant attack, whereas 25% of them took up to one month
- Low cyber insurance coverage in healthcare – only 78% of healthcare organizations have cyber insurance coverage compared with the global average of 83%
- Cyber insurance driving better cyber defenses – 97% of healthcare organizations with cyber insurance have upgraded their cyber defenses to improve their cyber insurance position
- Cyber insurance almost always pays out – in 97% of incidents where the healthcare organization had cyber insurance that covered ransomware, the insurer paid some or all the costs incurred (with 47% overall covering the ransom payment)
Health care enterprises have traditionally been behind other sectors that are heavily dependent on IT technologies, e.g., their counterparts in insurance and finance. The attackers target them because they have less developed security controls and are dependent on IT services for their business model.
The encouraging sign is the awareness that they are under attack, noted by the overwhelming majority of enterprises that have cyber insurance and have improved their cyber security practices. The chickens are on alert that the fox is circling the hen house!
Healthcare has been the most impacted industry eleven years in a row with the highest average cost of data breaches at $9.23 million in 2021 and rapidly growing at almost 30% YoY! As ransomware incidents are tightly correlated, this is a special cause for alarm for healthcare leaders and CISOs. Exacerbating the problem is the proliferation of Medical IoT devices that are proving invaluable for patient care and yet can pose unforeseen vulnerabilities and attack vectors.
A new strategy focusing on end-to-end protection across users, decentralized assets, cloud, and edge network infrastructure is warranted that borrows proven concepts from the military space such as managed attribution and multipath tamper resilient communications in addition to typical zero trust provider centric approaches.