Industry Trends

What Does a Ransomware Attack in Healthcare Really Cost?

By Susan Biddle | August 24, 2017

Ransomware attacks have become an increasingly popular way for cybercriminals to use stolen data to make money.

Historically, following most data breaches, cybercriminals put the sensitive user information accumulated from the attack up for sale on the dark web. Depending upon the type of personal information available, records sell for different amounts of money, with healthcare records fetching more than a password, for example.

Ransomware, and more recently, ransomworms, take a different approach. Rather than stealing your information and selling it to other malicious actors, cybercriminals that conduct ransomware attacks steal your data by encrypting it, and make their money by selling it back to you with a key for decryption.

This style of attack is becoming more frequent. In May, we saw the WannaCry ransomworm infect more than 230,000 machines across 150 countries, followed by Petya, a ransomworm targeting the exact same vulnerability that infected an additional 16,000 machines in several countries in June.

While cybercriminals have not been too discriminatory with the types of organizations they target, healthcare organizations are at particularly high risk of ransomware attacks and the staggering costs associated with them. Data shows that 72 percent of all 2016 malware attacks in healthcare were ransomware.

Healthcare is at High Risk of Ransomware

The healthcare sector is especially vulnerable to ransomware attacks due to its reliance on electronically-stored files such as electronic health records, scans, and connected devices to perform mandatory day-to-day tasks. Not to mention remote medical consultation and life saving devices such as infusion pumps and monitors connected to the internal network. When faced with a ransomware attack, all of the information, applications, and services provided by the network are encrypted and rendered unusable. Without access to critical patient information, doctors and hospital staff are unable to treat patients, bringing operations and treatments to a halt and endangering lives.

Because hospitals need to get back online as quickly as possible, they are more likely to pay the ransom to free their files and get back to work than many other industries.

The Price of a Ransomware Attack

The cost of a ransomware attack goes far beyond just the ransom paid. Substantial costs come from the aftermath of the attack in terms of incident response, legal, and reputational expenses, with studies showing that data breaches cost hospitals $402 per compromised record.

Incident Response and Forensics

Following a ransomware attack, healthcare providers must bring in auditors to determine which information was compromised. This process can take months of sorting through millions of records and logs, costing hospitals up to $610,000 or more. Additionally, media notification in compliance with HIPAA’s breach notification rule, including credit monitoring for compromised patients, costs on average $560,000.

HIPAA Non-Compliance

There are more than just immediate remediation costs following a ransomware attack. Any government regulations to which the healthcare industry is bound means there can also be high non-compliance and legal costs. HIPAA compliance, for example, requires hospitals to perform thorough risk assessments of their technology holdings, and implement access controls and other security measures that minimize data loss.

In the event of a ransomware attack, protected health information (PHI) is taken over by cybercriminals, which is considered by HIPAA to be a non-compliant disclosure of patient information. Unless healthcare organizations can prove there is a low chance that PHI has been compromised, ransomware attacks are considered a HIPAA breach.

This can result in penalties that range from $100 - $50,000 per violation, with an annual maximum fine per violation of $1.5 million. Lawsuits brought on by those affected can also drive up the cost of an attack.

Lost Revenue

While costs climb in the immediate aftermath of a breach, the long-term losses can actually have a much greater impact on a hospital’s finances. Consumers are beginning to do more research before choosing healthcare providers. News that a hospital experienced a ransomware attack can lower the level of trust they feel, causing prospective patients to seek care elsewhere, or causing current patients to leave. Studies show that hospitals suffer an average of $3.7 million in lost revenue following a data breach.

Preventing Ransomware Attacks

Hospitals and healthcare providers can avoid facing financial and reputational damage at the hands of ransomware attacks by ensuring their security posture is up-to-date with prevention and detection measures as well as by developing and maintaining good network hygiene, which includes systematic patching an updating of vulnerable systems, and replacing outdated technologies that are no longer supported..

Ransomware is typically proliferated through infected links or attachments in emails, or, as with WannaCry and Petya, unpatched vulnerabilities. These attack vectors can be mitigated with secure email gateways and regular automatic security updates. In addition to protecting the network perimeter with firewalls, network segmentation is key to ensuring that if a breach occurs, it is isolated to one area of the network.

For the most comprehensive prevention and detection, Fortinet’s advanced threat protection can be used to both block attacks and detect when an intrusion has occurred to quicken response time. Each tool communicates with the others and is fed by FortiGuard threat intelligence. The faster an intrusion is detected, the less a data breach costs.

Finally, to understand where there may be gaps in your security protocol, and to better comply with HIPAA ordinances, we recommend that you conduct regular cyberthreat assessments to gain visibility into your security posture, and add protection where needed.

Final Thoughts

Ransomware attacks will continue to be a threat for healthcare providers, and likely in greater volumes going forward. The resulting overall downtime, incident response and legal fees, as well as long-term reputational damage can cost hospitals millions and keep them from providing high-quality care to patients.

The best course of action is to ensure your hospital has a robust, integrated security strategy that is designed to detect and mitigate ransomware attacks in real-time. Being aware of these threats and staying a step ahead of cybercriminals will ensure healthcare providers can continue to give patients the best possible care.

You can read more important takeaways in the full Global Threat Landscape Report.

Sign up for our weekly FortiGuard intel briefs or to be a part of our open beta of Fortinet’s FortiGuard Threat Intelligence Service.