Helping Hospitals Improve Resilience to Ransomware

Hackers are targeting the healthcare sector with increasing frequency. According to the US Department of Health and Human Services (HHS), from 2018 to 2022, there was a 93 percent increase in large breaches reported (369 to 712), with a 278 percent increase in such breaches involving ransomware. The Federal Bureau of Investigation received more reports of ransomware attacks on organizations in the healthcare and public health sector in 2022 (the most recent year available) than for any other critical infrastructure sector, with the number of attacks rising in the two years since then. In their recent report, The State of Ransomware in the U.S., Emsisoft Malware Lab reported that in 2023, 46 hospital systems with a total of 141 hospitals were affected by ransomware attacks. Finally, in a survey conducted by the Ponemon Institute in 2023, 88 percent of surveyed healthcare organizations reported having experienced at least one cyberattack in the past year.

Unfortunately, many hospitals are vulnerable to these increasingly persistent threats. Hospital cyber capacity and capabilities vary widely, which complicates the development and implementation of cyber standards. In addition, hospitals have a large attack surface, made up of a series of interconnected systems (including EHR, remote patient monitoring technology, imaging equipment, and telemedicine platforms), that increases their vulnerability to cyberattack. Partner organizations can also be a source of cyber disruption. For example, Change Healthcare, the insurance claims processing system that processes 50 percent of all medical claims in the US, was hit by a ransomware attack on February 21, 2024, disrupting the ability of medical providers across the country, including those of many hospitals, to make insurance claims and get paid.

Some hospitals have developed cyber continuity plans or have added cyber annexes to their emergency operations plans. However, more than half of hospital emergency managers surveyed noted that cybersecurity was not mentioned in their EOPs, despite it being highlighted in their Hazard Vulnerability Analysis. Hospitals need support to develop incident response plans that cover cyber-specific considerations, including the following:

• An examination of potential cyber threats and levels of disruption (from minor inconveniences to a complete disruption of operations)
• A thorough review of the hospital's mission critical functions and the resources (people, tools, facilities, and systems) needed to accomplish those functions
• Victim organizations' criteria for making major decisions, such as shutting down information systems, remaining open or diverting patients, and transitioning to alternative processes
• Contingency plans for how to keep operations running in the absence of business-critical systems such as phone, email, and medical files
• Internal and external communication plans, including important contacts (in case internal address books are unavailable)
• Response plans specific to when partners-including key vendors, nearby hospitals, and the city or county in which the hospital is located-are disabled by a cyberattack