Healthcare Ransomware Attacks Threaten Up to 30% of Operating Income

Posted by HIPAA Journal

Ransomware attacks increased by 91% in March 2023, according to a new analysis by NCC Group. There were 459 confirmed attacks in March which is a 62% increase from March last year. The massive increase was due to the zero-day vulnerability (CVE-2023-0669) in Fortra’s GoAnywhere MFT file management solution, which was exploited by the Clop ransomware group in 130 attacks on companies over a 10-day period.

The Clop ransomware group explained that ransomware could have been deployed in those attacks; however, the decision was made to go extortion only. Even discounting those attacks since ransomware was not actually used, attacks are still occurring at a higher rate than in 2022. According to NCC Group, hacking and data leak incidents are also occurring at a much higher rate – more frequently than at any time in the past 3 years.

ThreatConnect Quantifies the Cost of a Healthcare Ransomware Attack

Ransomware attacks can be costly to resolve, especially for small organizations, but the true cost of the attacks is difficult to determine. IBM Security calculated the average cost of a data breach to be $4.82 million in 2021 – $9.23 million for a healthcare data breach – but the cost of recovering from a ransomware attack is less clear, as is the likely cost of any specific organization. ThreatConnect recently attempted to quantify the cost of a ransomware attack to make the likely costs clearer. As ThreatConnect explained, an average cost naturally includes incidents where the recovery costs were relatively low as well as attacks where the costs were atypically high. The average cost is a useful figure but says nothing about how much a data breach is likely to cost a specific business.

ThreatConnect’s analysis took several factors into account, such as the size of the organization and the operating environment, and estimated the median cost to operating incomes from ransomware attacks. ThreatConnect’s analysis was broken down by the size of an organization based on operating income. Operating income is gross income minus the revenue from goods or services sold, minus operating expenses. The operating incomes used for the analysis were small ($500 million), medium ($1.5 billion), and large ($15 billion). The median cost of a ransomware attack was then estimated based on past losses in each cohort, which was further broken down into different industry sectors.

Ransomware Attacks Threaten as Much as 30% of Operating Income

In addition to the cost of a ransom – if it is paid – healthcare organizations have substantial remediation costs, and the disruption caused by the attack can result in substantial revenue loss while the attack is remediated due to operational disruption, and continued costs from reputational damage. The startling revelation from the analysis was the percentage of operating income that was at risk from ransomware attacks. For a small healthcare organization, the median loss from a ransomware attack was $15.2 million, which is more than 30% of operating income. The impact on medium-sized healthcare organizations was far less, with an estimated median cost of $26.8 million or 15.36% of their operating income, and lowest for large healthcare organizations, which had a median cost of $101.2 million, but that represents just 4.92% of operating income.

The biggest percentage of the cost comes from the loss of revenue rather than remediation, which for a small healthcare organization would be $8.92 million in lost revenue and $5.45 million in remediation costs. For medium-sized healthcare organizations, the revenue loss was $16.06 million with remediation losses of 7.77 million, and for large organizations, $72.84 million in lost revenue and $23.83 million in remediation costs.

“With the National Cyber Strategy coming out of the White House focusing on decreasing cyber risk from critical infrastructure and the new SEC Cyber Proposals, organizations across industries are now being tasked with reporting on cyber risk,” said Jerry Caponera, GM of Risk Quantification, ThreatConnect. “Organizations are finally waking up to the fact that the impact of ransomware and other cyber attacks is more than just a moment in time. The financial implications are far-reaching and create barriers for companies to continue operations after these attacks.”

The post Healthcare Ransomware Attacks Threaten Up to 30% of Operating Income appeared first on HIPAA Journal.

One-Fifth of Healthcare Organizations Do Not Enforce Cybersecurity Protocols

Posted by HIPAA Journal

A recent Salesforce survey revealed some of the security gaps that exist in healthcare organizations, even those that have a security-first culture. The survey revealed only one-fifth of healthcare organizations enforce their cybersecurity protocols and only two-fifths of healthcare workers look at their security protocols before using new tools or technology.

The Salesforce survey was conducted on April 13, 2023, on 400 healthcare workers in the United States who were asked questions about cybersecurity and policies and procedures at their organizations. 57% of surveyed workers said their job has become more digitized over the past two years, which means more data than ever now needs to be protected. There is a common myth that cybersecurity is the sole responsibility of the IT department; however, a majority of the respondents were aware that cybersecurity is a shared responsibility. 76% of healthcare respondents agreed that it is their responsibility to keep data safe, yet despite being aware of the need to protect data, many workers admitted to not always following cybersecurity best practices.

22% of respondents said their organization does not strictly enforce cybersecurity protocols, and 31% of respondents said they were unsure what they should do in the event of a breach. While more than two-thirds of workers (67%) said they have a security-first culture at work, 31% of respondents said they are not very familiar with their company’s security policies and processes and only 39% of workers check security protocols before trying new tools or technology.

There appears to be a lack of understanding about security risks associated with connected devices such as phones and laptop computers, with only 40% of surveyed workers believing they pose a security risk and 48% thinking their personal devices were as secure as their work devices. 46% of workers said they have accessed work documents on their personal devices. A large number of healthcare workers implicitly trust their work devices, with 61% of workers saying that if something could be accessed on their work device it must be safe.

These are issues that can be tackled through security awareness training, but the message does not appear to be getting through as 70% of respondents said they are given training on how to keep data safe. While an increasing number of organizations understand the importance of providing security awareness training to the workforce, there is room for improvement as those training courses are not proving to be as effective as they should be. Only 54% of respondents said their training was efficient and 19% said training is generic and not relevant to their job.

One-third of workers (33%) said they use the same passwords for their personal and work accounts, 25% of surveyed workers admitted to clicking a suspicious link in an email at work, only 42% of workers report all suspicious emails to their security team, 19% do not always use VPN when conducting work online, and only 39% of workers always use multi-factor authentication.

The survey shows that while healthcare organizations are taking steps to develop a security culture, more needs to be done to get the message across that security best practices must always be followed. Improving the efficiency of training can help to get employees on board, such as implementing a modular training course and tailoring the training for specific roles to ensure it is relevant. The survey also suggests healthcare organizations could do a lot more when it comes to enforcing security policies.

The post One-Fifth of Healthcare Organizations Do Not Enforce Cybersecurity Protocols appeared first on HIPAA Journal.