The Impact of Ransomware on Healthcare During and Since COVID-19

The Impact of Ransomware on Healthcare During COVID-19:

Where is this information from?

Let’s review this report titled “The Impact of Ransomware on Healthcare During COVID-19 and Beyond” in detail. Poneman Institute, sponsored by Censinet have spent the past year analyzing how the cyber-landscape has been transforming, especially since COVID-19. They interviewed 598 professionals in the Healthcare industry, all of which were in management positions, and 64% came from a position in charge of security and compliance. The report is exclusive to what is termed HDO (Health Delivery Organization) that constitutes as entities that deliver clinical care and rely upon the security of third parties with whom they contract services and products– AKA community hospitals, regional health systems, integrated delivery networks, physician groups, and payers.

What was the biggest takeaway?
  • Before COVID-19, 55% of people surveyed said they were not confident in their ability to mitigate a ransomware attack, but since COVID-19, that number has increased by a little less than 10%, to 61% of people surveyed said they were not confident in their ability to reduce ransomware risk.
  • 60% of organizations surveyed have undergone a breach in the last two years alone
  • Each healthcare breach on average exposed 28,500 HIPAA records
  • Which is about $837,750 worth of patients records, per breach
  • Breaches were due to an attack on:
    • a cloud application (23%)
    • an employee phishing attempt (21%)
    • an attack on an on-premise application (19%)

Root Cause of Data Breach in Healthcare

Why is healthcare vulnerable to ransomware?

The healthcare industry is uniquely affected by ransomware because 1) healthcare organizations rely upon third party vendors to supply security when they contract our for services and products 2) because healthcare organizations have more devices hooked up to the IoT than most industries.

When we look closer at “third party vendors,” this is where most of the breaches actually began. As most healthcare networks have hundreds of vendors, and each with their own systems and cybersecurity, it is easy to overlook how the health of a vendor can effect the whole system. This study revealed that the average number of third parties that organizations contract with is 1,950, and this will increase to an average of 2,541 in the next 12 months (a 30% increase in 1 year!). The increase is most likely because of COVID-19’s effect on healthcare (including remote work, new systems for the remote work, staffing challenges, and pandemic supply chain issues).

In the last 2 years, 43% of Healthcare Vendors had a ransomware breach. 67% had more than one breach, and 33% said they had 2 or more.

Impact of ransomware on healthcare patients:

For those organizations that did have a data breach, the below graphic shows what the impact of ransomware has on patients within healthcare organizations:

Longer length of stay (71%), Delays in procedures/poor outcomes (70%), Increase in patient transfers (65%), Increase in medical complications (36%), An increase in mortality rate (22%), Other (4%).

Does your organization have the required controls and assessments for third party companies and vendors?

Third-party vendors and products are necessary when operating within the healthcare industry, as some operating systems and software and medical devices are irreplaceable when it comes to saving human lives. The risk they pose to the operations when it comes to cybersecurity and ransomware should be have a plan of action in place to manage it to mitigate all risk factors. Even if the organization itself does a good job defending itself from cybersecurity, it is usually a breach from a vendor or third party that exposes the organization’s data.

Heath companies and networks need to have the right controls risk assessments in place when it comes to the relationship with vendors, including procurement, implementation, usage, updates, termination, to secure data properly.

As of right now, only 40% of companies surveyed said their organization completes a risk assessment of its third party vendors prior to contracting with them, but 38% said assessment findings are ignored by leaders. So effectively, only about 2% of organizations currently have practices in place to evaluate for cybersecurity for third party vendors, which indicates a huge gap in opportunity to reduce risk.

See what other organizations are doing to reduce vendor risk below.

Healthcare providers are doing the following when it comes to cybersecurity and ransomware risks:

  1. Outsourcing part or all of the functions to a managed service provider (50%),
  2. Allocate more budget towards risk management (46%)
  3. Look for automated solutions to improve efficiency (44%)
  4. Increase assessment coverage on new vendors (43%)
  5. Increasing reassessment of current vendors (37%)
Where to start?

Check out this checklist and make sure your organization and your vendors are following all recommended best practices. Which have you implemented and which have you been avoiding?

  • Invest in workflow automation, resources to establish a digital inventory of all third parties and PHI records. It is key to know where PHI records are being accessed, transmitted, or stored by third party products or services
  • Increase overall risk coverage of third parties by leveraging automation to conduct more assessments
  • Allocate resources and funding to re-assess high-risk third parties. Currently, only an average of 32% of critical and high-risk third parties are assessed annually
  • Increase efforts to secure medical devices. Only 36% of health organizations know where all medical devices are
  • Ensure critical steps for identifying and mitigating third-party risks are in place
  • Assign risk accountability and ownership to one role. The ability to execute an enterprise wide risk management strategy is affected by not assigning accountability and ownership to more than one role

If your organization has none or little of these practices in place, it is time to start investing in an evaluation to find out where you are and the likelihood of a breach. Do you know how long your organization would be down if you had a breach? Go to our cost calculator now to find out how much money a breach would cause!

Contact KPInterface directly for a free cybersecurity audit to find out our threat landscape. We also work directly with third parties and vendors in healthcare, so we are a great resource for conducting risk assessments. Our services make it so a breach is impossible (and we can say that with confidence. Take a look at our case studies if you’re hesitant).