Healthcare Ransomware Attacks Continue to Increase in Number and Severity

Posted By Steve Alder on Sep 30, 2024

Ransomware attacks continue to increase in healthcare despite a fall in attacks in many other sectors, according to the State of Ransomware in Healthcare 2024 report from Sophos. Across all industry sectors, the number of organizations that reported suffering a ransomware attack in the past 12 months fell from 66% in 2023 to 59% in 2024. Sophos surveyed 402 healthcare organizations, and 67% said they had experienced a ransomware attack in the past 12 months, up from 60% the previous year, and on a par with the 66% that experienced ransomware attacks in 2022. Globally, healthcare has the second-highest attack rate, behind central/federal government with a 68% attack rate.
Attacks on healthcare were among the most impactful, with an average of 58% of healthcare organizations’ devices affected by a ransomware attack. In 5% of attacks, 20% of fewer devices were impacted and 7% of attacks saw more than 91% of devices affected. Sophos says the reason that so many devices are affected in healthcare is because of the widespread use of legacy technology and infrastructure controls than in other sectors, which makes it harder to secure devices, prevent lateral movement, and stop attacks from spreading.
The most common attack vectors in healthcare ransomware attacks were exploited vulnerabilities (34%) and compromised credentials (34%), up from 29% and 32% of attacks in 2023. Malicious emails (19%) and phishing (9%) were both down from 22% and 14% of attacks in 2023. Brute force attacks increased from 1% in 2023 to 4% in 2024.
Not only are ransomware attacks increasing in healthcare, recovery is taking longer due to the increased complexity and severity of attacks. In 2023, 28% of surveyed healthcare organizations said it took more than a month to recover from a ransomware attack. In 2024, 37% of healthcare organizations said it took more than a month to recover from an attack. Fast recoveries are becoming rarer. In 2022, 54% of attacked healthcare organizations said they were able to recover in less than a week, in 2023 47% said they recovered in less than a week, and in 2024, only 22% said it took less than a week to recover.

Ransomware groups often engage in double extortion tactics, where data is stolen before file encryption. A ransom must be paid to decrypt files and prevent the release of the stolen data. This has proven to be effective, as companies that can recover their files from backups often pay a ransom to prevent the release of their stolen data. Data theft has been so effective that there is a growing trend of extortion-only attacks, where data encryption is skipped altogether, however, in healthcare, only one surveyed healthcare organization said they experienced an extortion-only attack, compared to 4% of respondents in 2023.
According to Sophos, 74% of healthcare ransomware attacks involved data encryption, and 25% of attacks saw the attack detected and blocked before data was encrypted. 22% of healthcare attacks involved data theft and data encryption, down considerably from 37% last year. Ransomware groups usually target backup files to hamper recovery without paying the ransom, and in 95% of healthcare ransomware attacks in the past year, backups were targeted. In 66% of ransomware attacks on healthcare organizations, backups were compromised. When that occurred, victims were twice as likely to pay the ransom, and if backups are deleted or encrypted, then the ransom demand is usually higher as ransomware groups know that victims have little choice other than paying the ransom.
98% of healthcare organizations that experienced data encryption were able to recover their data, with 73% restoring data from backups – the same percentage as in 2023. There was a significant increase in the number of healthcare organizations that paid to recover their data, which increased from 42% in 2023 to 53% in 2024. Sophos said 155 healthcare organizations had their data encrypted and were able to share information on the initial ransom demand, which was an average of $4 million in 2024. 65% of ransom demands were for $1 million or more and 35% were for $5 million or more. Out of the 99 healthcare organizations that admitted to paying the ransom and disclosed the ransom paid, the median payment was $1.5 million, and the average payment was $4.4 million. Only 15% of healthcare ransomware victims paid the initial ransom demand, with 28% paying less and 57% paying more than the initial demand.
The ransom only forms part of the recovery cost. Excluding the ransom payment, healthcare organizations paid an average of $2.57 million in recovery costs in 2024, up from $1.82 million in 2023. The median ransomware recovery cost was $750,000. Virtually all attacked healthcare organizations reported the attacks to law enforcement and/or government agencies such as the Cybersecurity and Infrastructure Security Agency (CISA). 61% said they received assistance with dealing with the attack, 59% said they received help investigating the attack, and 41% said they received help recovering the encrypted data.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com.