Ransomware Increasingly Targets Medical Providers

Cybersecurity & Technology

Ransomware continues to make headlines in the data security world, and with good reason.  A report issued earlier this year by the Director of National Intelligence highlighted the continued surge in ransomware attacks in the U.S.  While commercial companies remain the biggest target, reported ransomware attacks expanded across all sectors of the economy, with attacks on U.S. healthcare providers nearly doubling.

Ransomware is a type of malicious software that hackers deploy to encrypt or exfiltrate (remove) a target’s data until the target pays a ransom.  If the target does not pay the hacker, the target risks the permanent loss of access to the data, the hacker may publish sensitive data online, or the hacker may sell private information to third parties.

Healthcare organizations, ranging from hospitals to small clinics, are prime targets for ransomware attacks due to the nature of the information they collect: not only do they have sensitive medical information, but they keep other personally identifiable information, such as addresses and birthdates, as well as payment information. The consequences of a successful ransomware attack on a healthcare facility can be catastrophic, potentially resulting in disrupted operations, compromised patient care, significant financial losses, and immense reputational harm.

Because ransomware is a business, any good ransomware hacker focuses on their return on investment. They chase the biggest payday from the smallest initial investment, meaning they prefer easy targets.  The good news is there are some relatively easy steps you can take to make your healthcare company a more hardened target.

  1. Employee Training and Awareness: This is the lowest bar for your company to clear.  Educate your staff about the existence and dangers of ransomware, and how best to avoid letting the malicious code inside your walls.  Require good password hygiene, have appropriate policies about the use of external devices, and conduct regular training to combat phishing scams.
  2. Implement Proper IT Security Measures: Work with your IT department and external vendors to deploy a multi-layered security system. This will include, at a minimum, antivirus software, firewalls, intrusion detection systems, and proper encryption protocols (if you have sensitive data, you want to ensure it cannot be read by anyone who steals it).  All of these systems must be subject to continued testing and regular updates to keep up with the hackers.
  3. Data Backup and Recovery: Backing up your data regularly and securely will minimize any business disruption and the loss of patient medical records in the event of a ransomware attack. Regularly test your backup systems to ensure the data will be accessible in the event of an attack.
  4. Limit Access and Storage: Make sure that the only employees who have access to sensitive data are those who require it for the performance of their jobs. Require multi-factor authentication and always revoke an employee’s access to your data as soon as their employment ends.  Also, consider disposing of any data that you are not required by law to maintain: less data on hand means less data that can become a ransomware target.
  5. Incident Response Planning: Develop a comprehensive incident response plan. This will establish clear protocols for detecting, containing, and eradicating malware such as ransomware.  It will also guide how your company communicates with stakeholders, law enforcement, regulatory bodies, and the media following a known or suspected ransomware attack.  Conduct regular tabletop exercises to test the incident response plan, expose any snags, and ensure that each employee with a role to play is ready to play it.

Taking these steps will not ensure that your healthcare company never becomes the victim of a ransomware or other hack- nothing can do that.  But it will make your company less likely to be attacked and more resilient if an attack occurs.

If you have questions about how your company can protect itself from ransomware attacks, or if you think your company may be the victim of a hack, contact Chris Jones or a member of Sands Anderson’s Cybersecurity & Technology team.

Subscribe for Updates

Subscribe to receive useful articles, legal updates and firm news to keep you informed and up-to-date on important issues and trends.

Sign Up

Media Contact

Rachel Lufkin
804.783.6799

Email Rachel 

Jump to Page

Sands Anderson Cookie Preference Center

Your Privacy

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek