Health Care's Ransomware Wake-Up Call

July 29, 2021

Public domain

Health care has long lagged behind other industries when it comes to cybersecurity. But with ransomware attacks against the industry on the rise, providers are quickly trying to close the gap and protect their systems and patients.

Listen to the full episode below, read the transcript, or scroll down for more information.

If you want more deep dives into health policy research, check out our Research Corner and subscribe to our weekly newsletter.

The Basics: Ransomware Attacks on the Rise

A ransomware attack happens when someone unleashes malicious software into an organization’s computer network, locking them out of their systems and demanding payment in order to release them. In the health care industry, these attacks can be particularly disruptive and dangerous, blocking access to electronic health records, slowing down care and even forcing hospitals to cancel appointments and turn away patients. 

In the last year, ransomware attacks against health care organizations have surged. The move to telehealth and remote work created more opportunities to penetrate providers’ defenses, and cybercriminals preyed on hospitals’ and clinics’ need to quickly regain access to their systems to extort large ransom payments. In October 2020, the FBI and two other federal agencies issued a special bulletin warning the industry that cybercriminals from Eastern Europe were specifically targeting health care providers.

0 %
Increase in health care ransomware attacks in 2020¹
$ 0
million, average cost to recover from a health care ransomware attack²
0 +
health care providers reportedly targeted during coordinated ransomware attack in October 2020³

¹ Ransomware attacks on US healthcare organizations cost $20.8bn in 2020, Comparitech, 3/10/2021
² The State of Ransomware in Healthcare 2021, Sophos, May 2021
³ Several hospitals targeted in new wave of ransomware attacks, CNN, 10/29/2020

Behind the Curve: Health Care's Lagging Cyber Defenses

While industries such as finance and retail have been building their cyber defenses for decades, experts say most health care providers didn’t start thinking seriously about cybersecurity until about a decade ago when hospitals and the federal government began pouring billions into electronic health records.

Even then, any health systems initially failed to invest attention and resources in cybersecurity, often ignoring those within their organization advocating for greater vigilance. Hospital leaders saw cybersecurity as expensive and complicated, and the primary threat — data breaches — seemed to have little impact on their core mission of patient care. 

“There was a lack of adoption, interest or acknowledgement for the seriousness of what was happening in the health care industry,” says Anahi Santiago, Chief Information Security Officer at ChristianaCare in Delaware. “And it has led to where we are now.”

A Wake-Up Call: Damaging Attacks Spur Attention

The rise of ransomware and its ability to cause significant financial harm and directly threaten patient care have pushed health care leaders to take cybersecurity more seriously.

Experts say media coverage of ransomware attacks forcing hospitals to divert ambulances, cancel appointments and even shut down altogether has pushed previously apathetic executives and board members to action.

“They’re saying, ‘How can we help? What do you need? What resources and investments do we need to make as a health care organization to make sure that you are successful in your fight against the cybersecurity threats?'” says ChristianaCare’s Santiago.

It’s difficult to document changes in cybersecurity spending, but several cybersecurity firms told Tradeoffs they’ve seen significant jumps in their health care business over the last several months.

Get To Know a Ransomware Negotiator

“You don’t take a career test and they say, ‘Oh, you’d be good at negotiating ransomware,'” says Karen Sprenger, COO and Chief Ransomware Negotiator for LMG Security in Missoula, Montana.

Sprenger says her love of mysteries, especially Sherlock Holmes, and passion for technology led her to start working as a cybersecurity incident responder nearly a decade ago.

“[I realized] there is a whole branch of technology that you can go in and investigate and determine what happened based on clues that the attacker leaves behind,” she says. “I just loved that ability to go in and and recreate an event like Sherlock Holmes could.”

Sprenger’s first ransomware negotiation five years ago was a total accident. She was helping a client who had just been attacked with ransomware, and they asked her to negotiate with the attackers.

Even as the COO of a cybersecurity firm, Sprenger had no formal training in negotiating with criminals.

Instead, she looked to the same mysteries, crime novels and movies that got her interested in cybersecurity in the first place.  

One of the most helpful movies was a 2000 film called Proof of Lifestarring Meg Ryan as a woman whose husband has been kidnapped and Russell Crowe as the negotiator she hires to bring him home.

Among other lessons, Sprenger says Crowe’s character taught her the importance of keeping her emotions out of a negotiation.

Over the course of more than 100 ransomware negotiations in the last 5 years — including more than 30 involving health care — Sprenger has learned that cybercriminals often see themselves as legitimate businesspeople, striving to offer quality “customer service.” 

“It’s very much like any website you go to that pops up and says, ‘Hi, how can I help you?’ That’s what you’re looking at,” she says. “They’re there, 24/7, ready to chat and answer your questions.”

To hear Sprenger describe a recent ransomware negotiation she conducted for a health care clinic in the Midwest, listen to the full episode by clicking on the player at the top of the page.

A Tough Road Ahead: Challenges to Improving Health Care's Cybersecurity

Even with the increased attention being paid to cybersecurity, several challenges remain.

Money

Budget constraints are regularly cited as an impediment to implementing stronger cybersecurity, especially for smaller providers. The industry is lobbying the White House and Congress to include funding for health care cybersecurity in one of the infrastructure packages currently being negotiated.

Clinical Needs

Traditional cybersecurity measures like complex passwords, workstation lockouts and two-step authentication can sometimes make delivering quick patient care more difficult. This tension between security and speed is a constant challenge to navigate.

Staffing

The demand for cybersecurity workers far outstrips the supply. Health care cybersecurity executives say it's very difficult to compete for talent against other industries that can often offer higher salaries.

Medical Devices

The increasing number of devices connected to a hospital's network is seen as one of the biggest cyber risks in health care. This includes newer devices such as insulin pumps and heart rate monitors, as well as older equipment like MRI machines, which often run on outdated software that is difficult to secure.

Implementation

Even with the necessary funding, implementing new cybersecurity protocols requires significant time and effort — both to get institutional buy-in for more secure policies and to actually install and maintain secure systems.

Want more Tradeoffs? Sign up for our weekly newsletter!

Episode Resources

Select Reporting and Research on Health Care and Cybersecurity

Should ransomware payments be banned? (Tarah Wheeler and Ciaran Martin, Brookings Institution, 7/26/2021)

Scripps CEO Reveals Lessons Learned from Ransomware Attack (Jill McKeon, HealthITSecurity, 6/15/2021)

The Ruthless Hackers Behind Ransomware Attacks on U.S. Hospitals: ‘They Do Not Care’ (Kevin Poulsen and Melanie Evans, The Wall Street Journal, 6/10/2021

Ransomware attacks are closing schools, delaying chemotherapy and derailing everyday life (Heather Kelly, Washington Post, 6/5/2021)

How to Negotiate with Ransomware Hackers (Rachel Monroe, The New Yorker, 5/31/2021)

The State of Ransomware in Healthcare 2021 (Sophos, May 2021)

The Cyberattacks Plaguing America’s Hospitals (Samantha Bee, Full Frontal, 3/25/2021)

Healthcare Cyberattacks Doubled in 2020, with 28% Tied to Ransomware (Jessica Davis, HealthITSecurity, 2/25/2021)

Patients of a Vermont Hospital Are Left ‘in the Dark’ After a Cyberattack (Ellen Barry and Nicole Perlroth, New York Times, 11/26/2020)

Several hospitals targeted in new wave of ransomware attacks (Vivian Salama, Alex Marquardt, Lauren Mascarenhas and Zachary Cohen; CNN; 10/29/2020)

Episode Credits

Guests:

Karen Sprenger, CISSP, GCFE, Chief Operating Officer and Chief Ransomware Negotiator, LMG Security

M. Eric Johnson, PhD, Ralph Owen Dean and Bruce D. Henderson Professor of Strategy, Vanderbilt University Owen Graduate School of Management

Anahi Santiago, Chief Information Security Officer, ChristianaCare

Saad Chaudhry, MPP, Chief Information Officer, Luminis Health

The Tradeoffs theme song was composed by Ty Citerman, with additional music this episode by Blue Dot Sessions.

This episode was reported and produced by Ryan Levi.

Additional thanks to:

Greg Garcia, Kevin Kline, Tom Hoffman, Sung Choi, Paul Bischoff, Errol Weiss, John Riggi, Christoph Lehmann, Mark Jarrett, Nicolette Louissaint, Nick Bennett, Joe Bengfort, the Tradeoffs Advisory Board and our stellar staff!