Padlock on laptop computer with red binary ransomware attacks on monitor screen of healthcare organizations

Twice as Many Healthcare Organizations Paid Extortion After Ransomware Attacks, but Only 2% Recovered All Data

A study by Sophos found that ransomware attacks against healthcare organizations almost doubled in 2021.

The State of Ransomware in Healthcare 2022 report found that nearly two-thirds (66%) of healthcare organizations were hit by ransomware in 2021 compared to just over a third (34%) in 2020.

Subsequently, the number of organizations paying ransom also almost doubled from 34% in 2020 to 61% in 2021, a 94% increase.

However, of all organizations that paid the ransom, only 2% recovered all data in 2021, compared to 8% in 2020. The change marked a 75% decrease in complete data recovery.

The report also discovered a worsening healthcare threat environment, with cyber attacks increasing by 69% in volume and 67% in perceived complexity, while the impact of ransomware attacks increased by 57%.

Sophos attributed the increase in ransomware attacks to the improvement in the ransomware-as-a-service (RaaS) model, reducing the skill level required to execute attacks.

The survey polled 5,600 IT professionals in mid-sized organizations, with 381 healthcare respondents from 31 countries participating in the study.

Healthcare organizations are the most likely to pay a ransom but fewer recover all their data

Sophos’ report found that 61% of healthcare organizations paid a ransom in 2021, compared to the global average of 46%.

Additionally, the tendency to pay the ransom had almost doubled from 34% in 2020.

However, healthcare organizations recovered only 65% of their data after paying ransom in 2021 compared to 69% in 2020.

The report also found that healthcare organizations experienced fewer ransomware attacks (61%), resulting in successful data encryption compared to the global average of 65%.

Although few organizations (2%) recovered all data after paying the ransom, data recovery after ransomware attacks had improved.

According to the report, 99% of healthcare organizations recovered some data in 2021, compared to 93% in 2020.

Healthcare orgs paid less ransom, incurred more recovery costs, and took longer to recover

The report by Sophos found that healthcare organizations paid the least amount of ransom with an average of $197,000 compared to the global average of $812,000.

While healthcare organizations paid the least ransom, their recovery costs were the second highest across all sectors.

Sophos’ report found that healthcare organizations spent an average of $1.85 million to recover from ransomware attacks, compared to the global average cost of $1.40 million.

According to Rajiv Pimplaskar, CEO, Dispersive Holdings, healthcare was the most impacted industry for eleven years in a row. The average data breach cost was $9.23 million in 2021, with a year-on-year increase of 30%.

The report also found that healthcare organizations spent significant time recovering from ransomware attacks.

Sophos found that 44% of organizations spent up to a week recovering from ransomware attacks, while a quarter (25%) spent up to a month.

Fewer healthcare organizations are covered by cyber insurance but are well compensated

Healthcare organizations had less-than-average cyber insurance coverage. Only 78% of healthcare organizations were covered by cyber insurance compared to the global average of 83%.

Additionally, most healthcare organizations (93%) reported difficulties finding a cyber insurance provider in 2021. More than half (51%) cited higher cybersecurity standards set by insurers as the biggest challenge for qualification.

However, after ransomware attacks, the cyber insurance payout in the healthcare sector was impressive. In  97% of the cases, the insurer paid some or all the costs incurred, with 47% covering the ransom cost.

James Graham, Director of Marketing, RiskLens, said that the increasing number of ransomware attacks changed the cyber insurance situation.

“Premiums have rapidly risen and insurance coverage is becoming much more restrictive,” Graham said. “Cyber insurance buyers should make a thorough quantitative analysis of their organizations’ probable loss exposure from ransomware to negotiate coverage from a strong position – or decide where they can self-insure with higher investment in cybersecurity controls.”

According to Chris Clements, vice president of solutions architecture at Cerberus Sentinel, cyber insurance could lead to more organizations paying ransom demands. These payouts would encourage criminals to invest in cybercrime, increasing the success of ransomware attacks.

“Of course, this only emboldens cybercriminals who can invest the stolen funds into ever more advanced tools and talent to ensure their continued success even as cyber insurance companies are demanding more stringent security controls as a condition of coverage.”

Cyber insurance positively impacts cybersecurity practices in the healthcare sector

Sophos’ report found that almost all (97%) healthcare organizations with cyber insurance policies upgraded their cyber defenses to improve their cyber insurance position.

“It’s great that cyber insurance companies are forcing more healthcare companies to get great cybersecurity and compliance, but I think cyber insurance company actuaries don’t understand what does and doesn’t work that well in cybersecurity, and they aren’t able to be nearly as accurate in reducing risk as they are in other areas,” Roger Grimes, Data-Driven Defense Evangelist, KnowBe4, said.

Grimes explained that most cyber insurers required organizations to have MFA enabled as a condition for coverage despite many MFA solutions being easily phishable.

“Ransomware in the healthcare space is more nuanced than other industries in terms of both protection and recovery,” said John Shier, a senior security expert at Sophos. “The data that healthcare organizations harness is extremely sensitive and valuable, which makes it very attractive to attackers.”

Shier noted that the need for efficient and widespread access to healthcare data made protection via zero-trust and two-factor authentication methods unfeasible.

“This leaves healthcare organizations particularly vulnerable, and when hit, they may opt to pay a ransom to keep pertinent, often lifesaving, patient data accessible,” he added. “Due to these unique factors, healthcare organizations need to expand their anti-ransomware defenses by combining security technology with human-led threat hunting to defend against today’s advanced cyber attackers.”