The UK’s healthcare sector, already suffering from a backlog of patients and loss of staff post pandemic, is simultaneously locked in another fight: against ransomware. Ever since the WannaCry attack of 2017, the threat of ransomware and its implications have been well understood to be detrimental to healthcare organisations (HCOs). Ransomware now dominates the threat landscape in the healthcare industry, accounting for over half (54%) of attacks, according to the EU security agency ENISA. In the UK, HCOs are no strangers to breaches, it’s a reality that comes with potentially devastating consequences, and recent incidents like King Edward VII’s Hospital attack prove that ransomware remains a significant threat to HCOs finances and patient safety. With ransomware groups operating in the shadows, untouchable and shielded from any sort of consequences, healthcare CISOs face a unique challenge where possible lives are at stake. Building resilience security and rapid incident response strategy is key.
Why is healthcare such a perfect target?
Although HCOs are all quite different, they do share many common practices and systems, making them an attractive target for ransomware groups. Healthcare’s vulnerability to ransomware lies in its extremely large attack surface coupled with critical dependence. With the NHS alone boasting 1.5 million devices — a mix of modern IoT gadgets, home-working laptops, and aging operational technology (OT) struggling to keep pace with modern security updates. This complexity allows for an almost unlimited amount of entry points for threat actors. These devices must all be updated, patched and protected with secure authentication, something that becomes particularly difficult to manage as the number of devices increases.
The next issue is human error. Just like in any organisation, employees are often the weakest link, which is especially true in healthcare due to two key factors: high-pressure environment in clinical settings, and the potential laxity of home care workers. Clinical staff face an unprecedented challenge, with high pressure and heavy workloads raising the risk of human error. A hurried click on a phishing email disguised as a patient update, or the accidental download of malicious software while searching for medical resources can have disastrous consequences. On the other hand, home care workers, who can be distracted or unsuspecting, are more likely to ignore some rules or cut some corners when it comes to security. Cybercriminals know this, and they exploit these vulnerabilities with targeted phishing campaigns and social engineering scams. The best defence is comprehensive training for all employees, which unfortunately is lacking in HCOs. According to government figures, just a third (35%) of healthcare sector organisations have had cybersecurity training or awareness raising over the past year. This gap in training leaves healthcare workers woefully unprepared to recognise and combat cyber threats, leaving HCOs vulnerable.
In addition to this, the sprawling supply chain adds another layer of vulnerability. From cleaning crews to software suppliers, each link is a potential doorway threat actors can exploit. The MOVEit data theft was a grim reminder of this, with Ireland’s HSE admitting it had information stolen by the ransomware group exploiting a zero-day vulnerability in the code.
The combination of HCOs low tolerance for service outages and the highly monetisable nature of patient data makes the healthcare sector a prime target for threat actors seeking maximum disruption and financial gain.
The Escalating Arms Race
Healthcare CISOs are locked in a relentless arms race with increasingly sophisticated adversaries. Fuelled by a trillion-dollar underground economy, cybercriminals are refining their tactics at an alarming rate. Since 2021, the share of attacks targeting healthcare organizations has skyrocketed from 34% to 60% today, with double extortion – encrypting data and threatening to leak it – becoming the norm. Sophos, a cybersecurity firm, reports that data was stolen in a staggering 37% of cases where encryption occurred.
Unlike the under-resourced security teams of HCOs, threat actors have the luxury of abundant talent. The cybercrime underground offers a thriving “as-a-service” marketplace, significantly lowering the barrier to entry for aspiring hacker groups. These groups can readily purchase specialised tools and expertise, including access from initial access brokers (IABs) who provide footholds to target networks.
Raising the stakes even further, threat actors are now deploying malware capable of deleting back-ups, aiming to gather more leverage for ransom negotiations. They’re also shifting their focus to cloud environments, launching data-deletion attacks on AWS buckets instead of traditional encryption, leaving victims with nothing to fall back on.
The hefty price tag of ransomware
The true cost of ransomware in healthcare extends far beyond financial losses. WannaCry’s 2017 attack disrupted 34% of trusts in England and 603 primary care and other NHS organisations, including 595 GP practices. Leading to approximately 19,000 cancelled appointments and operations. Another example is the ransomware breach Ireland Health Service Executive (HSE) experienced in 2021. Since then, the HSE has spent tens of millions of euros managing the fallout. With a report done by ThreatConnect claiming that, SME HCOs lose an estimated 30% of operating income when hit by a serious ransomware attack.
But the price tag unfortunately goes deeper than just numbers. Cyber-attacks impact patient trust, with studies showing a correlation between data breaches and increased mortality rates, some even linking them to heart attack fatalities. Ransomware often forces HCOs to take critical systems offline, potentially delaying diagnoses, hindering emergency care, and jeopardising patient safety. These are not simple inconveniences; they are potential life-or-death situations.
How can CISOs protect their organisations?
Facing the inevitability of a future attack, healthcare CISOs must prioritise building resilience before an attack can occur. A comprehensive cybersecurity audit should be their first line of defence. This audit should map internal and external threats, vulnerabilities, and exposure, ensuring compliance with industry standards like ISO 27001 and best practices like Cyber Essentials Plus. It should also recommend concrete actions like staff training and awareness programs, along with clear breach response plans.
A robust audit could reveal critical vulnerabilities like outdated software and unpatched devices which can inevitably become targets for threat actors. Risk-based patch management that prioritises the most exposed assets is the first step in building a defence. The Sophos study on the state of ransomware showed that improperly patching accounted for 29% of healthcare breaches in 2023.
Patching and vigilance are crucial, but the healthcare industry’s vast attack surface makes breaches near-inevitable. This is where visibility plays a key role. Continuous network-level monitoring becomes the early warning system, giving security teams a chance to contain threats before they gain access to any assets, and possibly accelerating incidence response.
Developing a comprehensive incident response plan that pinpoints critical systems and data assets, identifies potential vulnerabilities, and establishes readily accessible backups can significantly reduce response time, minimise the impact of breaches, and prevent reputational damage.
By taking a proactive approach to their security strategy that follows security best practices, HCOs can better prepare themselves against the ever-evolving threat of ransomware and protect the lives entrusted to their care.
By Will Poole, Head of Incident Response at CYFOR Secure