On Thanksgiving Day, 2023, Ardent Health Services, which owns and operates 30 hospitals and over 200 sites of care in six states, recognized that it was the victim of a ransomware attack. In response, the organization “proactively took its network offline, suspending all user access to its information technology applications, including corporate servers, Epic software, internet and clinical programs.”

Essentially deprived of the technologies that have become the lifeblood of modern healthcare systems, Ardent-affiliated hospitals scrambled to cope. Emergency rooms went to divert status and some non-emergent, elective procedures were temporarily postponed. Staff at one hospital described working without access to electronic health records as “chaotic.” Not able to use Epic’s My Chart system, patients had to find workarounds to obtain prescription refills.

A growing problem

The Ardent case was just one of hundreds of cyberattacks on healthcare reported in 2023 and the associated ransom demand—the specifics of which remain unknown—is emblematic of a growing problem for the healthcare sector.

In the decades since the first ransomware attack was delivered to AIDS researchers on floppy discs in 1989, cyberattacks in general and ransomware attacks in particular have grown in both sophistication and cost. The healthcare sector, which represents nearly a fifth of the U.S. economy and is replete with protected health information (PHI) and personally identifiable information (PII), remains a favorite target among cybercriminals. In 2022, healthcare remained the primary target for critical infrastructure attacks, suffering nearly 25% of all ransomware incidents.

According to the American Hospital Association (AHA), there was a “dramatic increase in cyberattacks targeting hospitals and health systems” during the COVID-19 pandemic. As cybercriminals increasingly target small and rural hospitals, which generally have weaker defense systems, the average recovery duration has become longer.

It isn’t just hospitals. As researchers raced to develop vaccines and treatments for COVID-19 in 2020, hackers presumed to be associated with North Korea attempted to breach the information systems of global pharmaceutical company AstraZeneca. Drug development and research were further threatened when eResearchTechnology (ERT), which develops software used in clinical trials, was hit by a ransomware attack in 2021.

In 2023, several large pharmaceutical companies reported ransomware attacks. In March, Sun Pharmaceuticals of Mumbai alerted the National Stock Exchange of India to “a breach of certain file systems and the theft of certain company data and personal data.” Following this, Granules India reported an IT breach for which the Russia-based LockBIt subsequently claimed responsibility. And, even as it celebrated the success of its Alzheimer’s drug Leqembi last summer, Japan’s Eisai acknowledged an attack on “some” of its servers.

According to IBM Security’s report, the average data breach in the healthcare sector costs $10.93 million—one and a half times the cost of a breach in 2020.

But the damage isn’t only monetary.

In Germany, a delay in care after a ransomware attack on Düsseldorf University Hospital resulted in a patient’s death. Additional research in the United States indicates that ransomware attacks were responsible for between 42 to 67 Medicare patients’ deaths between 2016 and 2021.

In a cybersecurity advisory issued in November, JRiggi, AHA’s National Advisor for Cybersecurity and Risk stated, “Ransomware attacks against hospitals are not financial crimes; they are acts of cyber terrorism and threat-to-life crimes.”

The process

Cyberattacks typically begin with malware, or malicious software. This may take one of several forms, notably Trojans or worms.

Trojans, named after the Greek Trojan Horse, are represented to users as benign downloads or legitimate software. Users are tricked into loading and executing the Trojan on their computers, resulting in unauthorized access to their system. Trojans do not replicate themselves, which means they require user interaction to be installed or spread to other systems. Trojans can serve as “loaders” for additional malware.

In contrast, a worm is a standalone malware program that replicates itself to spread to other computers. Unlike a Trojan, it does not need to attach itself to an existing program or rely on human action to propagate. Worms typically exploit vulnerabilities in operating systems or other software to spread across networks, causing widespread damage. While Trojans are more about deceptive entry at a single computer, worms are focused on rapid and autonomous propagation to infect as many devices as possible.

Ransomware is a specific type of malware that encrypts the victim’s files or locks the user out of their device and is accompanied by a ransom demand for the restoration of access. While malware’s data breaches allow a hacker to immediately steal information from a system, the primary goal of ransomware is to extort money from its victims. Attackers typically demand payment in cryptocurrency in exchange for a key which will allow access to the encrypted data or locked system. A hacker may demonstrate the legitimacy of a key by unlocking a single file or process. If their demands are ignored, they may begin publishing stolen data on the internet to taunt a victim and raise the stakes.

The risk of ransomware attacks on healthcare organizations has been elevated by ransomware-as-a-service (RaaS), a model in which the creators or operators of ransomware make their malicious software available for use or purchase by other criminals, typically on the so-called dark web.

RaaS makes ransomware readily available to a wider pool of attackers, including those with limited technological skills. Providers of RaaS such as BlackCat/ALPHV, a group which has long played a game of cat-and-mouse with the Federal Bureau of Investigation (FBI), offer a range of services beyond the ransomware itself. These may include support, payment processing, and even “customer service” to assist those using their products.

The perpetrators

While early cyberattacks followed a “spray and pray” model in which perpetrators rapidly and randomly distributed malicious code to numerous targets without specific selection criteria, today’s cybercriminals are more precise in both their intentions and their targets. And, despite Hollywood stereotypes, they are generally not hobbyist hackers working from their parents’ basements.

Modern cybercriminals are often nation-state actors or members of organized crime syndicates. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified China, Russia, Iran, and North Korea as state sponsors of cybercrime.

As cyberattacks have become more sophisticated, their perpetrators have become more difficult to locate. One federal indictment illustrates the challenge law enforcement faces in pinpointing cybercriminals’ locations with its reference to its subjects’ positions “in or around Russia, Belarus, Ukraine, and elsewhere.”

The indictment’s reference to three countries once affiliated with the Soviet Union is neither unusual nor incidental. The Carnegie Endowment for International Peace has observed that the blind eye turned by some former Soviet states has allowed cybercriminals to operate within their borders with relative impunity.

This geographical concentration of cybercriminals in Eastern Europe means that sociopolitical developments in the region can impact cybercrime activity. For example, the Russian invasion of Ukraine prompted a Ukrainian researcher to leak information related to the Russian based Conti gang. And some cybersecurity experts have attributed a brief dip in ransomware crimes in 2022 to the conflict in Ukraine.

Advising law enforcement and paying ransom

The Department of Health and Human Services (HHS) advises any healthcare organization hit with a ransomware attack to contact its local FBI or United States Secret Service field office. While language in the ransomware might threaten consequences for contacting the police, IBM Security has found that excluding law enforcement from resolution of a ransomware attack is likely to result in higher costs as well as longer breach lifecycles. Attackers may represent themselves as being the only path for decryption of files, but the FBI and other law enforcement agencies are often able to offer decryption keys.

Managing ransom demands can be fraught with pitfalls. While paying ransom is not illegal, federal agencies, including the FBI, CISA, and HHS, recommend against complying with ransom demands. Importantly, although paying ransom may not be a crime, engaging in financial transactions with any individual or entity  on the U.S. Department of the Treasury’s Office of Foreign Assets Control’s (“OFAC”) sanction lists is.

And cybersecurity experts say that paying ransom doesn’t guarantee protection from future attacks. One study found that 80% of organizations paying ransom were victims of subsequent attacks.

 Insurance considerations

The increasing frequency of and growing costs associated with cyberattacks have made purchasing cyber insurance a requisite part of doing business. They have also made insurance companies more circumspect drafting policy language and extending coverage.

In 2017, Merck was one of dozens of companies impacted by the NotPetya malware attack. Launched by the Russian Main Intelligence Directorate (GRU) in an effort to disrupt Ukraine’s financial system and cripple the country’s infrastructure, NotPetya incorporated leaked code from the U.S. National Security Administration.

Although NotPetya alerted victims that a decrypting key was available in exchange for a nominal bitcoin payment, the site associated with payment was easily taken down. In a world that depends upon misrepresentation, NotPetya was not even the ransomware it purported to be. It was pure malware. And it was alarmingly effective, eventually causing $10 billion damage worldwide.

Merck saw at least 40,000 computers in its global network infected by NotPetya. An astonishing one-quarter of these were impacted within the first 90 seconds of exposure. The massive disruption to the company’s manufacturing, research and development, and sales operations ultimately resulted in an estimated $1.4 billion in damages.

When Merck filed insurance claims under several “all risk” property policies, its insurance companies denied payment citing “Hostile/Warlike Action” exclusions in their policies. Merck sued the insurers for payment. In December 2021, a court ruled in Merck’s favor. A New Jersey appellate court also ruled in Merck’s favor in May 2023, noting that “exclusion of damages caused by hostile or warlike action by a government or sovereign power in times of war or peace requires the involvement of military action.”

The case was slated for review by the New Jersey Supreme Court last week when the parties announced a confidential settlement on January 3.

For insurers, the Merck case has been a cautionary tale highlighting how extraordinarily expensive cyberattacks can be. Many, including Lloyds of London, have updated their policy language regarding cybercrime executed by state actors.

They have also increased their rates. Testifying before the Senate Homeland Security and Governmental Affairs Committee, Kate Pierce, the Senior Virtual Information Security Officer of Fortified Security, said that “skyrocketing premiums, lower limits, and increasing requirements” were putting cyber insurance coverage out of the reach of many organizations, especially rural hospitals.

HIPAA concerns

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) established standards for preventing and protocols for managing healthcare entities’ breaches of PHI. But some argue that “HIPAA’s dual focus on privacy and security, which can create a misalignment of incentives” in a changing digital landscape.

HHS specifies that ransomware and malware attacks qualify as security incidents under HIPAA’s Security Rule. If PHI is compromised as the result of a cyberattack, the incident may meet the threshold of a  breach, and healthcare organizations must comply with HIPAA’s Breach Notification Rule. This would include notifying both HHS and impacted individuals, as well the media in cases affecting over 500 people.

Under the HITECH Amendment, which was signed into law in 2021, HHS “may reduce fines and penalties for violations of certain federal privacy standards for health information if an entity subject to those standards has adopted particular cybersecurity practices.”

Section 405(d) of the Cybersecurity Information Sharing Act (CISA) of 2015 tasks HHS with the enhancing cybersecurity in the healthcare industry. This includes leading a public-private partnership to develop and regularly update practical, consensus-based cybersecurity guidelines and best practices. HHS’s 405(d) Program seeks to align the healthcare sector’s security strategies with the federal government’s broader cybersecurity approach, with input from the Department of Homeland Security and threat hunting guidance from the National Security Administration. This collaboration has produced the “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (HICP) publication, which offers a comprehensive framework for healthcare organizations to mitigate cyber threats.

Going forward

To succeed, enhancing cybersecurity in healthcare must be a shared responsibility involving government agencies, industry organizations, and individual companies and providers. Every member of the sector can benefit from standardized cybersecurity measures, financial support, and collaborative efforts.

Stirling Martin, the Chief Security and Privacy Officer and Vice President of Epic, whose products include the patient portal My Chart, told the Senate Homeland Security and Governmental Affairs Committee that he believes that the federal government should establish a minimum threshold for security best practices in healthcare. He also called for establishing a legal safe harbor for organizations that meet a defined benchmark of security.

Meeting minimum standards could be costly and would present an additional burden, especially for critical access and rural hospitals. Achieving a consistent standard of security in U.S. healthcare may require federal subsidies and rethinking incentives — which could well be justified, given the stakes.

Ultimately, as HHS observes, “cyber safety is patient safety.”