The State of Ransomware in Healthcare 2021 report provides deep insight into the prevalence and impact of ransomware in the healthcare sector.
The report also compares the experiences of healthcare with other industries and reveals the future expectations and readiness of healthcare organisations in the face of these attacks.
The State of Ransomware in Healthcare 2021 survey was conducted by Vanson Bourne, an independent specialist in market research, in January and February 2021.
The survey interviewed 5,400 IT decision makers in 30 countries, including 328 respondents from healthcare that came from all geographic regions surveyed: the Americas, Europe, the Middle East, Africa, and Asia Pacific.
All respondents were from organisations with between 100 and 5,000 employees.
The report reveals that just over a third of healthcare organisations (34%) were hit by ransomware last year, which is actually slightly below the global cross-sector average of 37%.
Among the healthcare organisations that were hit by ransomware, 65% said their data was encrypted – compared with the cross-sector average of 54%.
Globally 39% of organisations were able to stop the attack before the data was encrypted, dropping to just 28% in healthcare.
This reduced ability to stop an attack may be a reflection of the financial and resourcing challenges that the healthcare sector faces, partly due to a reluctance to divert funds to cybersecurity that could be used for frontline patient care.
Healthcare is more likely to pay the ransom and less likely to backup.
Among the healthcare organisations whose data was encrypted, 34% paid the ransom compared with a cross-sector average of 32%.
This may be because healthcare was less able to restore data from backups than almost all other sectors: on average 57% of organisations used backups to get their data back – this came down to only 44% in healthcare, the second lowest across all sectors.
“What attackers omit when issuing ransom demands is that even if you pay, your chances of getting all your data back are slim. 25 healthcare respondents who paid the ransom to get their data back got back, on average, just 69% of their data, leaving a considerable proportion of their data inaccessible,” says Ross Anderson, Sophos Product Development Manager at Duxbury Networking.
While advanced and automated technologies are essential elements of an effective anti-ransomware defence, stopping hands-on attackers also requires human monitoring and intervention by skilled professionals.
“Whether in-house staff or outsourced pros, human experts are uniquely able to identify some of the telltale signs that ransomware attackers have you in their sights. We strongly recommend all organisations build up their human expertise in the face of the ongoing ransomware threat,” says Anderson.
In light of these findings, Sophos experts recommend the following best practices:
- Assume you will be hit. Ransomware remains highly prevalent. No sector, country, or organisation size is immune from the risk. It’s better to be prepared but not hit than the other way round.
- Make backups. Backups are the number one method organisations used to get their data back after an attack. And as we’ve seen, even if you pay the ransom, you rarely get all your data back, so you’ll need to rely on backups either way. A simple memory aid for backups is ‘3-2-1’. You should have at least three different copies (the one you are using now plus two or more spares), using at least two different backup systems (in case one should let you down), and with at least one copy stored offline and preferably offsite (where the crooks can’t tamper with it during an attack).
- Deploy layered protection. In the face of the considerable increase in extortion-based attacks, it is more important than ever to keep the adversaries out of your environment in the first place. Use layered protection to block attackers at as many points as possible across your environment.
- Combine human experts and anti-ransomware technology. Key to stopping ransomware is defence in depth that combines dedicated anti-ransomware technology and human-led threat hunting. Technology gives you the scale and automation you need, while human experts are best able to detect the telltale tactics, techniques, and procedures that indicate that a skilled attacker is attempting to get into your environment. If you don’t have the skills in-house, look to enlist the support of a specialist cybersecurity company. SOCs are now realistic options for organisations of all sizes.
- Don’t pay the ransom. “We know this is easy to say, but far less easy to do when your organisation has ground to a halt due to a ransomware attack. Independent of any ethical considerations, paying the ransom is an ineffective way to get your data back. If you do decide to pay, be sure to include in your cost/benefit analysis the expectation that the adversaries will restore, on average, only two-thirds of your files,” says Anderson.
- Have a malware recovery plan. The best way to stop a cyberattack from turning into a full breach is to prepare in advance. Organisations that fall victim to an attack often realise they could have avoided a lot of cost, pain, and disruption if they had an incident response plan in place.