New Cost to Paying Ransom on Cyberattacks

Evolving Threats, New Guidance Add to Need for Healthcare Cybersecurity

By Megan Headley

As if the COVID-19 pandemic wasn’t hardship enough, healthcare organizations across the country are also under attack from another threat: cybercriminals.

In a joint cybersecurity advisory issued in late 2020, the FBI, the Cybersecurity and Infrastructure Security Agency, and the Department of Health and Human Services (HHS) warned the healthcare and public health sector that they held “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” The organizations warned healthcare providers to take precautions to protect their networks against malware threats that could lead to ransomware attacks, data theft, and disruption of services.

Since that date, HHS has investigated more than 100 new data breaches reported by healthcare providers. While these providers grapple with a COVID-19 response that has significantly expanded their reliance on IT networks, many are struggling to fight off an increase in dangerous cyberattacks.

“For those who have been watching, ransomware attacks have been on the rise for years and have only accelerated under the lockdowns being used to combat COVID-19,” says Allen Lynd, a veteran FBI cybersecurity expert and senior incident response advisor at cybersecurity consultancy CriticalStart.

These attacks may have also become more dangerous. In September 2020, a ransomware attack in Germany crippled a facility’s computer systems and forced a critically ill patient to be routed to a hospital in another city. The delay in treatment reportedly may have contributed to the patient’s death.

Small providers are often a favorite target. A 2020 intelligence brief from cybersecurity software provider RiskIQ found that, of a survey of ransomware attacks, 70% impacted small providers, who are more likely to pay ransoms to prevent care disruption and less likely to have robust security support. These attacks have affected facilities in every state, including hospitals and healthcare centers (51% of RiskIQ surveyed attacks), medical practices (24%), and health and wellness centers (17%).

Now, to combat this increase in attacks, the U.S. Treasury Department is cracking down—on organizations that pay off cybercriminals. This new guidance could hit healthcare organizations hard for fighting off ransomware in the way that’s traditionally served them best.

New guidance on ransomware response

In the past, Lynd says, there has been some “gray area” when it comes to how the Treasury Department looks at ransomware payments. “What the Treasury Department has been saying is if you’re being extorted for money and feel paying the ransom is the way to keep yourself operational, alright, you’re being forced to do this under duress. It’s not like you’re actively trying to give aid and comfort to the enemy, so to speak,” he says. “Nobody in healthcare was actually prosecuted or sanctioned under this.”

In its October 2020 Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, the Treasury Department has eliminated that gray area altogether in an effort to stem the increase in attacks.

“What it boils down to is if this is a known foreign actor who is on the sanctions list maintained by the Treasury Department, and you provide any money or any support, then you can face fines yourself and sanctions,” Lynd says. He explains that this list of what the Treasury Departments’ Office of Foreign Assets Control (OFAC) calls “malicious cyber actors” includes nations, as well as a long and evolving list of ransomware groups.

The reasoning behind this crackdown, states the advisory, is that “facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims. … Ransomware payments may also embolden cyber actors to engage in future attacks.”

As a result, Lynd says, OFAC has stated that any person or organization that pays ransoms demanded by sanctioned players can themselves be sanctioned for facilitating those transactions. “It’s not limited to just the healthcare organization. It could include the cyber insurance companies paying it, and it could include the incident response or other company that is hired to negotiate that ransom down. So, anybody along the path who’s involved in this could face sanctions,” Lynd says.

Players on the Treasury Department’s sanctioned list are absolutely targeting healthcare organizations. OFAC specifically notes in its advisory SamSam ransomware, one example of an attack targeting “a large healthcare company.” Behind the attacks were two Iranian hackers who caused more than $30 million in losses to more than 200 victims, including six healthcare-related entities.

Federal agencies are also cautioning healthcare organizations to watch out for attacks from the cybercriminal enterprise behind TrickBot, the presumed creator of BazarLoader malware. This malware is disseminated via phishing campaigns that contain either links to malicious websites that host the malware or attachments with the malware.

It’s not just more attacks

The change in guidance isn’t just about responding to an increase in attacks. It’s also about a shift in how ransomware attacks target healthcare organizations.

“Prior to about three years ago, ransomware was just about making the systems inoperative,” Lynd explains. By paying the ransom, the healthcare provider was able to regain access to data that had been encrypted. Some larger organizations, though, could avoid paying by moving to a backup of the encrypted data—and the hackers noticed. About three years ago, these malicious cyber actors began to also threaten to release the encrypted data to the public if the ransom wasn’t paid; the threat to hospitals thus shifted from data loss to data exposure.

Paying off the ransom has often been the most direct route to release stolen data—and, for insurance companies, the easiest way to remove that liability—but it also drives up the cost of future ransoms. Lynd notes that ransom demands average around $1.4 million today. Add to that the indirect costs of business downtime and system restoration work to prevent future attacks, and the costs go higher still.

Now, with greater reliance on connectivity to serve patients, there’s more incentive than ever for healthcare to prioritize investments in cybersecurity.

Where to start improving your cybersecurity

For organizations ready to take a more proactive approach to their cybersecurity, Lynd begins by walking clients through best practices as laid out by the National Institute of Standards and Technology’s cybersecurity framework. This includes basic recommendations on backing up data. The industry standard is the 3-2-1 rule of thumb. This guidance advises keeping at least three backups of your data in at least two separate formats, with one of those formats being off-site.

“That solves a lot of problems at once, not only in making sure that you can get up and running if you do have ransomware, but also for disaster recovery,” Lynd says. “If you have a tornado coming through your data center, you want to be able to get back up and running quickly.”

The next step Lynd’s firm recommends is requiring multifactor authentication to get into any kind of account. “Passwords alone are not sufficient at this point,” he says. However, effectively shifting toward multifactor authentication requires a great deal of education for employees.

“Unfortunately, the single largest factor for these attacks is still the individual employees who get hit with a bad phish,” Lynd says. “Conti and Ryuk [ransomware] looked at using COVID-19 bulletins with bad links to infect users. If you’re a healthcare organization and you’re seeing that come in, you’re likely to tend to click on it. Being able to detect a bad email is going to reduce the chances of your system getting infected.”

Solutions to mitigate the damage from a successful phishing attack include role-based access control, which restricts data at varying levels so that employees only have access to the data that is necessary to effectively do their job. This segregation of protected data makes it harder to compromise, while making it easier to comply with cybersecurity regulations.

Finally, it’s critical that health systems have someone monitoring their cybersecurity at all times. “It’s great to put all this security in, but if you don’t have somebody dedicated to monitoring your security and looking at what the devices are telling you all the time, it’s not going to help,” Lynd says.

Weighing your risks

These steps are good places to start, but many small healthcare organizations will find that hiring a dedicated cybersecurity advisor or outside contractor is necessary for proactively addressing cybersecurity.

“Frankly, when it comes to healthcare organizations, a lot of them are very small and they’re not really geared internally to allow their own people to do the best security,” Lynd says. “They need to outsource it, but a lot of them are reluctant to outsource because of HIPAA rules. There’s a Catch-22 where in order to be secure they need outside help, but they don’t want to necessarily bring in that outside help because they’re afraid of exposing data to those outside vendors.”

Lynd notes that many healthcare cybersecurity firms are led by professionals who come from either healthcare backgrounds, where they gained familiarity with HIPAA regulations and HITRUST compliance requirements, or from law enforcement. The risk of working with an outside firm is much less than doing nothing.

Bringing in these experts at the earliest stages of your cybersecurity efforts is critical to create a cohesive approach. “Security has to be part of the design process and part of the integration from the very beginning. It can’t be bolted on afterwards; it will never be as secure as it would if it were part of the original design,” Lynd says.

As Lynd points out, healthcare systems cannot completely eliminate risks from cyber threats, which are constantly evolving. Yet to mitigate those risks as much as possible, cybersecurity efforts cannot be static. The only way to truly keep your patients safe is to prioritize cybersecurity measures and training.

Megan Headley is a freelance writer and owner of ClearStory Publications. She has covered healthcare safety and operations for numerous publications. Headley can be reached at