Ransomware became one of the most significant cyber threats organisations faced in 2020, and the healthcare industry was no exception. PwC analysis found that in the first three months of 2021 there were 25 ransomware attacks against the sector globally. In part, its attractiveness to criminals rests on the necessity of critical healthcare services — cyber actors believe executives will do anything to bring operations back online, including paying ransoms.*
The average cost to an organisation to rectify the impacts of recent ransomware attacks (considering downtime, people time, device cost, network cost, lost opportunity, ransom paid etc.) is over AU$900,000.1 But the severity of these attacks cannot be attributed to a dollar figure alone, in the case of healthcare, hospitals have had to turn away those requiring care2 as well as suffer the tragic death of patients.3
Cybercriminal groups are evolving their tools, techniques, and procedures (TTPs), while the number operating in the space is increasing. In a trend that has become the norm amongst multiple cybercriminal threat actors, tactics too have changed, and ransomware operators no longer merely encrypt their victim’s systems and then demand ransom, but will also steal sensitive information to further coerce victims into paying.
The health sector is a prime target4 for cyber criminals due to the criticality of its services and potential threat to human life. There is, understandably, increased pressure on organisations to maintain and, if disrupted, rapidly restore business continuity, not to mention the need to uphold public trust. Not only are health executives more likely to pay for these reasons, the value of the accessed information is also incredibly high — from intellectual property on technology and research, particularly those relating to COVID-19 vaccine research and development, to personal or sensitive data that can be on sold to other parties for blackmail purposes.
The IT landscape of health organisations doesn’t help. A prevalence of Information Technology (IT) and Operational Technologies (OT) exists often relying on legacy technology. Over 22 percent of healthcare organisations continue to use legacy and end-of-life systems without vendor support and a further 26 percent which are unaware of any support.5 There are often low cyber controls and capabilities maturity due to low level of investments in cybersecurity uplifts at an enterprise level — cyber literacy in healthcare is lower, with digital adoption rates in healthcare trailing many other industries.
The nature of the healthcare industry means that it relies on an extensive network of suppliers, vendors and partners for day-to-day operations. Threat actors often use organisations with weaker cybersecurity protocols as a back door to the ultimate targets. This is especially poignant given the significant coordination of organisations across supply chains as vaccine campaigns roll out. The rapid and unplanned increase in usage of virtual care technologies due to COVID-19 further increases the attack surface available.
Cybersecurity responsibility doesn’t sit with just the executives and the board — it is every employee’s responsibility and, as such, everyone in the ecosystem has a role to play in addressing these challenges. The following range of activities will help organisations to prepare:
Looking beyond the COVID-19 pandemic and eventual recovery, it is unlikely that the rise in ransomware attacks will slow down. The increasing trend of digital transformation in the sector will introduce a new host of integrations with other vendors, suppliers and service providers, and in doing so will increase the attack surface for supply chain ransomware attacks. More than ever, it will be important for healthcare innovation to consider security as a priority, as any vulnerabilities can and will be exploited by cyber criminals.
* The Australian Cyber Security Centre (ACSC) and PwC recommend never to pay a ransom demand.7
This is an edited version of an article originally appearing in PwC’s Health Matters publication.
© 2017 - 2022 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. Liability limited by a scheme approved under Professional Standards Legislation.