Blog | Protenus

Ransomware on the Rise in Healthcare

Ransomware attacks directed at healthcare organizations are spiking, prompting industry warnings from U.S. government security agencies. Tips on how to take a proactive stand in protecting your organization's reputation and finances, and most importantly, your patients.

Healthcare has long been the target of threat actors seeking to steal sensitive data, namely patients’ Protected Health Information (PHI). Cybersecurity attacks via ransomware, a type of malware that threatens to publish victims’ personal data or block access to it until millions of dollars in ransom money are paid, are spiking in healthcare according to recent warnings issued by HHS and the CISA & FBI

Tactics range from basic to advanced and include embedding malicious links in malvertising, phishing emails, fake forums, and blog comments to steal victim’s credentials and compromise the system. Threat actors have also gained access via compromises to Remote Desktop Protocol (RDP), VPN servers, and other known vulnerabilities. What’s even more concerning is that your healthcare organization can have the best cybersecurity defenses in place but can still be blindsided by a breach through a business associate. 

Learn 2 key questions all healthcare organizations should be asking their business associates to reduce malware risks and better protect PHI.

A Deadly Serious Impact

At best, a ransomware attack on a healthcare business associate can cause major financial and reputational losses — at worst, lives are lost. A recent incident serves as a powerful example of why covered entities need to carefully consider their business associates’ security measures.

In August 2022, Advanced, a software supplier in the U.K., fell prey to a ransomware attack. Advanced provides Adastra software to the National Health System (NHS) that’s used for responding to 111 or urgent calls to dispatch an ambulance or to provide patients with care referrals, reportedly by 85% of NHS 111 providers and several out-of-hours services.

With Adastra unavailable, responses to emergency or urgent calls to 111 were delayed, putting patients at risk. The outage was described by the Welsh Ambulance Service as “major”, “far reaching” and affecting all four nations of the UK. By mid-October, service was still not completely restored.

Unfortunately, Adastra software was not the only service disrupted by the attack. Advanced also provides Carenotes software for planning, managing, recording, and analyzing community and mental health services, as well as child and adolescent mental health services across a range of settings. With the Carenotes system unavailable, the Trusts and entities using it had no patient information other than what they might have available on any recent local backups. And even if a local backup was available, new information could not be entered into the records management system and clinicians could not access anything in a patient’s records after the date of the most recent backup.

The situation rapidly became dire when patients needed prescriptions and staff could not access their records to determine what medication and what dose should be prescribed. Other clinicians were unable to submit dangerousness reports on patients to courts who needed their assessment. And providers were unable to check to see if they might personally be at any risk of assault from a patient who might be dangerous.

By November, three months after the attack, Carenotes systems were still not fully restored or updated. Twelve NHS mental health trusts were impacted by the cyberattack, potentially affecting tens of thousands of patients as well as social care providers. Dr. Andrew Molodynski, mental health lead at the British Medical Association, said the attack had led to the “likelihood of preventable deaths” due to the chaos over patients’ records.

Cause for Concern

According to a statement made by Advanced in October, “The threat actor initially accessed the Advanced network using legitimate third-party credentials to establish a remote desktop (RDP) session to the Staffplan Citrix server.” The legitimate credentials can be acquired by various means including phishing, social engineering, password reuse, or infostealers, to name just some methods. What makes the Advanced incident so important to learn from is that there was nothing particularly sophisticated about this attack. It could happen to any firm, even those who, like Advanced, have invested in cybersecurity.

Proactively Protect Your Organization and Your Patients

Cybersecurity attacks on healthcare entities historically have been a problem and that’s not changing. It’s impossible for healthcare organizations’ compliance teams to monitor 100% of the millions of system accesses each day with human resources alone. Human intelligence plus automation technology is the only way to create the strongest privacy protection.

Protenus can help hospitals and healthcare organizations transition to a proactive stance in protecting patient privacy.  By harnessing the power of artificial intelligence (AI) to audit up to 100% of system accesses, healthcare organizations can detect inappropriate or suspicious user behavior earlier, mitigating or eliminating risk and keeping their patients and organization safer. With an AI-powered solution, healthcare organizations can catch and contain breaches 27% faster and their cost of a data breach is $3.81 million lower on average than organizations without such technology, according to IBM's 2021 Cost of a Data Breach Report.

Contact us today so we can discover your organization’s compliance goals and how we can help.

Contact Us

Research provided in part by 

insider incidents account for more than 1 in 10 breaches

Subscribe by email