Male doctor hand using modern laptop in clinic showing healthcare organizations need for cyber insurance against ransomware

Why “Ransomware Insurance” Causes Healthcare Industry to Overlook Deeper, Underlying Security Issues

In most circumstances, insuring your organization against potential threats is a solid idea. Within this frame of logic, particularly for a healthcare organization, a sector where 34% of all organizations were hit by ransomware last year, insurance may seem like a good investment.

Unfortunately, having cyber insurance in place may give many businesses a false sense of security. The reality is that for most healthcare institutions, having insurance in place is likely to be doing far more harm than good.

Healthcare vulnerabilities run deep

With patient lives on the line, healthcare institutions can be critically vulnerable to the prolonged downtime that ransomware infections cause. Unfortunately, they are also particularly exposed to the type of breaches that let infections into their networks in the first place. This situation has gotten worse in the recent past.

Over the last 18 months, gradual shifts towards capabilities like telehealth, IoT devices, and cloud computing had to be rushed into action with little thought for security. Meanwhile, existing cybersecurity issues like a lack of security awareness among healthcare staff and frequent use of outdated software, such as Windows Explorer, have only expanded.

However, alongside growing vulnerability within healthcare organizations, another factor is driving the wave of ransomware attacks engulfing the sector —  profit-motivated attackers have made healthcare a priority target.

For financially motivated cybercriminals, healthcare is a vulnerable target

While nation-state-based threat actors remain a significant danger to healthcare institutions, the biggest priority for the vast majority of hackers targeting the industry is profit.

In an analysis of over 5,000 confirmed breaches in sectors including healthcare last year, Verizon concluded that hackers were financially motivated in 86% of cases. With over 30% of healthcare institutions opting to pay a ransom when faced with an attack and the average healthcare institution likely to face a ransom demand twice the size of organizations in other sectors, their attractiveness as targets is evident.

To maximize their success, attackers are increasingly turning to new tactics. Recently developed strains like Ryuk and REvil allow threat actors to exfiltrate data while shutting down victims’ operations simultaneously, thus giving cybercriminals two paths to profit.

Critically, with healthcare data records up to 50 times more valuable than the next highest value record, this method of attack puts healthcare providers at the top of many cybercriminals’ hit list. With healthcare organizations collecting, storing, and utilizing more data than ever, digital transformation within the healthcare sector is consequently attracting even more attention from cybercriminals. As a result, attacks are becoming more costly.  According to IBM, the average cost of a data breach for healthcare institutions is now $7.3 million — the most expensive of any sector.

In a volatile threat environment, cyber insurance paints a target on victims

Presenting an attractive and vulnerable target within a highly active threat environment, healthcare institutions may come to see the possibility of an attack as an inevitability. And with a ransom payment the most obvious way to end an attack, finding a way to cover this cost ahead of time can appear a sound strategy.

However, although the market for insurance against attacks is soaring, insured organizations may increase rather than decrease their exposure to cyberattacks. As far as insurers are concerned, the quickest and most affordable way to end an attack for any victim is to pay a ransom, an outcome vastly cheaper than the cost of remediation. Worryingly, however, this is a fact not lost on cybercriminals themselves.

Earlier this year, in an anonymous interview, a cybercriminal working within the REvil ransomware group clearly outlined how threat actors benefit from cyber insurance. Talking to the security news website The Record, the interviewee outlined how insurance is helping cybercriminals choose their victims “[Organizations that have cyber insurance are] one of the tastiest morsels. Especially to hack the insurers first—to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer.”

A glimpse into how Darkside, the group behind the Colonial Pipeline attack, works, backs up this claim. According to Wired, Darkside’s hackers typically search through a victim’s system looking for evidence of insurance coverage, raising ransom demands significantly if they find out a victim is insured.

Stopping breaches is the best strategy

With spiraling costs driving insurers out of the market and insurance helping threat actors pick more lucrative targets and achieve bigger ransoms, insurance may actually be harming rather than helping organizations that rely on it. In the long run, the nearly exponential growth in ransom demands may even lead to their payment being outlawed in many places, a measure that has widespread support among cybersecurity professionals.

It’s also vital to note that while a ransom payment may or may not stop an attack’s paralyzing effects, it does nothing to prevent the kind of data exfiltration that defines attacks on healthcare organizations. Accordingly, the only sustainable response to ransomware for any organization is to take a proactive approach to defense.

Proactive defense requires a multi-pronged strategy. Ideally, every healthcare organization should combine hardened systems, security-aware staff, and a zero-trust approach to network security. However, with phishing and spear-phishing being involved in at least 60% of healthcare breaches, another critical component of defense is shutting down the amount of employee personal information available to threat actors.

Employee PII and healthcare cybersecurity

As they seek to target valuable healthcare customer data, threat actors are highly likely to leverage employee personal data as a way into victim networks. Socially engineered, publically available data points such as an employee’s job title, home address, and details about their family members are extremely valuable tools for cybercriminals.

Organizations focusing on proactive defense against threats like ransomware need to keep this in mind when assessing their security posture. Staff whose data is exposed through data broker websites, or even their own social media pages, are inadvertently expanding their organization’s vulnerabilities. For their employers, mitigating this issue means extending measures like privacy awareness training and data broker removal to staff.

Final thoughts

Within healthcare, cybersecurity has traditionally been relatively under-prioritized. Looking at this issue in financial terms, cybersecurity is likely to occupy only around 5% of the average provider’s budget, roughly a third of what organizations in other sectors such as the financial industry allocate. This status quo clearly needs to change, but cyber insurance should not be a priority for any organization.

While securing employee personal information is not the only step organizations should take towards proactive defense, it is nevertheless an important one. As they seek to secure their endpoints, servers, and connected devices, every health care organization cannot forget their most significant vulnerability — their staff.