Rise of Healthcare Organisation Ransomware Attacks in Past Year

27% of healthcare employees claim their organisation has experienced at least one ransomware attack in the past year, according to a recent report from Kaspersky Lab. Additionally, a third of these respondents said their organization had experienced multiple ransomware attacks.

In this Kaspersky lab report, titled Cyber Pulse: The State of Cybersecurity in Healthcare, stated that up until January 1st of this year, the U.S. Department of Health and Human Services’ Office for Civil Rights has been made aware of more than 110 hacking/IT-related data breaches that have affected more than 500 individuals.

These breaches can be detrimental to the organisations affected. Not only can breaches result in millions of dollars in costs, the healthcare organisations can also suffer a severe damage to their reputation and can result in harm being caused to patients.

Kaspersky Lab commissioned market research firm Opinion Matters to
investigate the state of cybersecurity in healthcare in the United States and Canada. 1,758 U.S. and Canadian healthcare employees were surveyed during this investigation, with the aim of exploring the perceptions of healthcare employees regarding cybersecurity in their organisation.

Between 1 and 4 ransomware attacks were claimed to have been experienced by 81% of small healthcare organizations (1-49 employees), 83% of medium-sized healthcare organizations (50-249 employees), and 81% of large healthcare organizations (250+ employees), according to this survey.

There are quite substantial costs related to mitigating ransomware and malware attacks with the average cost of a data breach now rising to $3.86 million according to the Ponemon Institute/IBM Security’s 2018 Cost of a Data Breach Report. However, Kaspersky Lab’s 2018 Cost of a Data Breach Report places the average cost at $1.23 million for enterprises and $120,000 for SMBs.

Cybersecurity is vital for reducing financial risk in healthcare organisations. In addition to this, 60% of healthcare employees said it was important to have appropriate cybersecurity solutions in place to protect people and companies they work with and 71% said it was important for cybersecurity measures to be implemented to protect the patients of their organisation.

Despite large investments in cybersecurity by healthcare organisations,
a large number of employees don’t feel comfortable with their organisation’s cybersecurity strategy. Only half of all healthcare IT workers claimed to be confident in their organisation’s cybersecurity strategy. This amount fell to 29% for management and doctors, 21% for nurses, 23% for employees in the finance department, and just 13% for the HR department.

It appears that many healthcare employees appear to have been lulled into a false sense of security, with 21% of respondents to the survey claiming they had total faith in their organisation’s ability to prevent cyberattacks and believing that their organisation won’t suffer another breach of data in the upcoming year.

A worrying statistic for healthcare organisations that arose from the survey is that 17% of employees said they would do nothing if they received an email from an unknown individual requesting PHI or login credentials. The same number of employees also admitted to having received an email request from a third-party vendor for ePHI and provided the ePHI as requested.

“Healthcare companies have become a major target for cybercriminals due to the successes they’ve had, and repeatedly have, in attacking these businesses. As organizations look to improve their cybersecurity strategies to justify employee confidence, they must examine their approach,” noted VP of enterprise sales at Kaspersky Lab, Rob Cataldo. “Business leaders and IT personnel need to work together to create a balance of training, education, and security solutions strong enough to manage the risk.”