Nearly two-thirds (66%) of healthcare organizations experienced a ransomware attack in 2021, a new survey shows – almost double the number who said the same thing (34%) in 2020.

WHY IT MATTERS
That's a 94% increase in just a year, and the new report, sponsored by Sophos, shows that the bad guys have become more capable and creative in their attacks, in addition to amping up the volume.

For its survey, The State of Ransomware in Healthcare 2022, more than 5,000 IT professionals were polled earlier this year. Their answers show them grappling with a cybersecurity threat that is fast-evolving in scope and intensity – but also show a growing level of resilience in the face of what's become a ubiquitous threat.

Cyberattacks are getting more innovative in their approaches. The report points, for example, to "the growing success of the ransomware-as-a-service model, which significantly extends the reach of ransomware by reducing the skill level required to create and deploy an attack."

There are signs of hope, however, such as the fact that healthcare, "with a 61% encryption rate, performed better than the global average of 65%." Also, more healthcare organizations are buying cyber insurance policies, which require them to invest in more robust cybersecurity defenses.

But the big picture is one of continued challenges for the healthcare industry.

"The increase in successful ransomware attacks is part of an increasingly challenging broader threat environment which has affected healthcare more than any other sector," said Sophos researchers.

"Healthcare saw the highest increase in volume of cyber attacks (69%) as well as the complexity of cyber attacks (67%) compared to the cross-sector average of 57% and 59% respectively. In terms of the impact of these cyber attacks, healthcare was the second most affected sector (59%) compared to the global average of 53%"

THE LARGER TREND
Ransomware groups are becoming "exceptionally aggressive" – as agencies such as HHS' Health Sector Cybersecurity Coordination Center warned this past month.

That, at least, has finally woken many hospital and health system boards from inaction, and many are now pouring more money into their cybersecurity preparedness and ransomware response capabilities. (For an in-depth look at where IT leaders are spending, click here.)

But the risks to hospital data, finances and, especially, patient safety, are still on the rise. Questions around the size and shape of cyber insurance policies and, crucially, whether or not to pay ransoms, are still salient.

ON THE RECORD
"In the face of this near-normalization, healthcare organizations have gotten better at dealing with the aftermath of an attack: virtually everyone now gets some encrypted data back and nearly three quarters are able to use backups to restore data," said Sophos researchers in the new report.

"Most healthcare organizations are choosing to reduce the financial risk associated with such attacks by taking cyber insurance," they added. "For them, it is reassuring to know that insurers pay some costs in almost all claims. However, it’s getting harder for organizations to secure coverage. This has driven almost all healthcare organizations to make changes to their cyber defenses to improve their cyber insurance position."

Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS publication.