Threat intelligence analyst documents, assesses 117 healthcare ransomware incidents
When a business system breaks due to patching malfunctions, they lose money. When a healthcare system breaks, it can put lives at risk. Ransomware attacks against healthcare providers can disrupt patient services, create confusion and force providers to shut down.
Given that these attacks are such a persistent concern, Allan Liska, threat intelligence analyst at Recorded Future, a vendor of a threat intelligence system powered by machine learning, was surprised at the dearth of research into the actual scope of ransomware attacks against healthcare providers.
It turns out that collecting data on these attacks is more complex than it first appears. Because a number of incidents are not reported to HHS, which makes it very hard to determine how exhaustive the catalog of ransomware attacks is.
New ransomware research
Through its own research, Recorded Future was able to document 117 ransomware incidents targeting healthcare providers in the United States.
The number of patient records impacted by these attacks is 4,474,000, though the real number is most likely higher, as not all incidents involved or included patient data – only 64 out of 113 (57%) included patient notification data.
"Providers should be encouraged to report to HHS in ways that do not appear to be ‘naming and shaming.’ The government can take the lead here by championing those organizations that demonstrate transparency."
Allan Liska, Recorded Future
The conventional wisdom is that healthcare providers are more likely to pay ransoms than other industries. That may be the case, but the data is not really clear. In the company’s research, 69 of the incident reports (61%) confirmed the victim did not pay a ransom, 17 of the tracked incidents (15%) confirmed payment, and the rest were unknown.
“There have been other articles published about ransomware attacks against healthcare providers, but all the articles I was able to find used proprietary data, making it impossible to understand the true scope of the problem,” Liska explained.
“What I was surprised to find is that no one had published anything open source, especially given the vital function of hospitals, doctor’s offices and other health-related institutions,” he said.
Collecting data a complex task
For several years, ransomware attacks have demonstrated the ability to disrupt patient services and cause confusion, and in 2019, these attacks have forced at least two healthcare providers to shut down. However, as critical as the problem is, as Recorded Future dug in, it became clear that collecting and analyzing data on these attacks is more complex than it first may appear.
“One challenge with collecting the data is that not all attacks are reported to HHS,” Liska said. “When the Park DuValle health center was hit with a ransomware attack earlier this year, it made the news because they were not able to see patients. However, they did not view it as a reportable incident.
“I think that kind of response is more the rule than the exception,” he added. “Providers often try to justify not reporting by claiming that nothing has happened to impact patient records. Unfortunately, without any kind of third-party oversight, there is no way to confirm these claims.”
Many providers also try to minimize press coverage they get from their ransomware attacks, making research difficult, Liska added.
“In February 2016, Hollywood Presbyterian Medical Center paid a then unheard of $17,000 ransom to recover their encrypted files,” he recalled. “The attack got so much coverage that Hollywood Presbyterian now has a section on their Wikipedia page discussing the attack. The following month, MedStar Health had to turn away patients because of a SamSam attack. Unfortunately, these were just the start of ransomware attacks against healthcare providers.”
How exhaustive is the list?
There were a number of incidents like this that were not reported to HHS, Liska said. This makes it very hard to determine how exhaustive the catalog of ransomware attacks Recorded Future collected actually is, he added. In short, the lack of reporting and the desire to keep incidents out of the press make collection and verification very challenging.
“Since publishing our findings, we have already seen additional attacks,” Liska noted. “Despite the challenges inherent to collecting ransomware data, our primary source of collection is HHS, which maintains a public database of breach notifications. That greatly simplifies the process of locating at least some ransomware attacks for tracking purposes. The remainder of our research comes from local and national reporting.”
However, that relies on an attack being both public and newsworthy.
“For better or worse – and I tend to think it is better even though an unfortunate topic – more news reporters are showing interest in covering ransomware,” he said. “The challenge is that for reporters to find out about a ransomware attack, a healthcare provider either has to publish a report or services have to be disrupted so clients complain about not being able to make appointments, etc. So between those reports and HHS, the picture starts coming into focus.”
More roadblocks to research
The HHS database classifies ransomware under the “Hacking/IT Incident” breach category, but they do not break down the specific type of incident in the public database. Again, these are roadblocks to determining the full scope of the problem.
Between January 1, 2016, and October 22, 2019, there were a total of 661 reported “Hacking/IT Incident” breach types – currently, that breaks down as 321 “Under Investigation” and 340 “Archived.”
Using that same timeframe, Recorded Future was able to document 117 ransomware incidents targeting healthcare providers in the United States. The breakdown of ransomware incidents per year is:
- 2016: 29 incidents
- 2017: 27 incidents
- 2018: 30 incidents
- 2019: 34 incidents (through October 22)
The Department of Health and Human Services was one of the first reporting organizations to understand the potential impact of ransomware incidents and require reporting from organizations under its purview. Unfortunately, the guidelines HHS has published have had some unintended consequences, Liska noted.
Whether or not patient data was compromised
“The chief consequence is that because HHS only considers a ransomware incident reportable if patient data is compromised, healthcare organizations are actually disincentivized from fully investigating a ransomware incident,” he said. “If an organization determines the ransomware didn’t compromise patient data, it doesn’t have to report it, but how the ransomware was delivered matters.”
For example, there has been a spate of Ryuk ransomware attacks that are part of a three-stage attack: an Emotet loader installs a TrickBot information stealer, which then installs Ryuk. The Ryuk ransomware may not compromise patient data, but if TrickBot was installed on any of those machines, there is a good chance that data, possibly including patient data, was exfiltrated from the computer.
But if one tracks that incident as “just the ransomware,” one may not look too closely at the entire attack chain so one does not have to report the incident.
“Greater education can also help improve knowledge,” Liska advised. “The more that healthcare providers know about their own vulnerabilities as well as the threats that are out there, the better equipped they can be to make decisions about protecting patients, systems and information.
“Providers should be encouraged to report to HHS in ways that do not appear to be ‘naming and shaming.’ The government can take the lead here by championing those organizations that demonstrate transparency.”
Ransomware incidents are preventable, but they can happen to even the most well-intentioned organizations. While that does not absolve them from responsibility, recognizing it as a serious occupational hazard rather than an indication of ineptitude or malice would be a step in the right direction, he added.
At the mercy of vendors
“Much of this comes down to the fact that healthcare providers in particular have unique challenges when it comes to security,” he said. “Often, healthcare organizations are at the mercy of third-party vendors when it comes to patching and updating systems. Without effective and secure ways of managing those processes, healthcare providers can be an easy target for ransomware actors.”
Similar to state and local governments, healthcare organizations have rushed to digitize their practices, this often leads to management and security gaps that remain unaddressed until a security event, such as a ransomware attack, he said.
“Furthermore, the perception that healthcare providers are more likely than other industries to pay ransom has led some ransomware actors to actively target healthcare organizations,” he noted. “The team behind SamSam, for example, was known to explicitly seek out healthcare providers.”
Liska said that Recorded Future will continue to analyze the data collected and refine the data set as the company uncovers additional incidents and fleshes out information about existing incidents.