Early Analysis of Ransomware Attacks on the Healthcare Industry

Editor’s Note: This is the second blog in an ongoing series of ransomware analyses.

For more than six years, ransomware attacks have continued to grab headlines by targeting local governments and organizations. Another often targeted sector, which we’re beginning to take a closer look at, is healthcare.

In February 2016, Hollywood Presbyterian Medical Center paid a then unheard of $17,000 ransom to recover their encrypted files. The attack got so much coverage that Hollywood Presbyerian now has a section on their Wikipedia page discussing the attack. The following month, MedStar Health had to turn away patients because of a SamSam attack. Unfortunately, these were just the start of ransomware attacks against healthcare providers.

These attacks can disrupt patient services, create confusion, and in 2019, have forced at least two healthcare providers to shut down. Given that these attacks are such a persistent concern, I was surprised that no one had looked at the scope of ransomware attacks against healthcare providers. It turns out that collecting data on these attacks is more complex than it first appears.

Healthcare providers have unique challenges when it comes to security. Often, healthcare organizations are at the mercy of their vendors when it comes to patching and updating systems. Without other compensating controls, healthcare providers can be an easy target for ransomware actors. Similar to state and local governments, healthcare organizations have rushed to digitize their practices, this often leads to management and security gaps that remain unaddressed until a security event, such as a ransomware attack. Combine the fact that medical systems are often vulnerable to commonly deployed exploits with the mission critical nature of healthcare services, they are not just an easy target, but also a very attractive target for ransomware actors. When a business system breaks due to patching malfunctions, they lose money. When a healthcare system breaks, it can put lives at risk.

In 2016, the U.S. Department of Health and Human Services (HHS) released guidance around ransomware indicating that a ransomware attack was most likely a reportable event:

When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule. Unless the covered entity or business associate can demonstrate that there is a '… low probability that the PHI has been compromised,' based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements. See 45 C.F.R. 164.400-414.">

HHS even maintains a public database of breach notifications, making it easy (in theory) to locate ransomware or other attacks for tracking purposes. The HHS database classifies ransomware under the “Hacking/IT Incident” breach category, but they don’t break down the specific type of incident in the public database. Between January 1, 2016 and September 15, 2019, there were a total of 637 reported “Hacking/IT Incident” breach types — currently, that breaks down as 314 “Under Investigation” and 323 “Archived.”

Using that same time frame, we were able to document 117 ransomware incidents targeting healthcare providers in the United States. The breakdown of ransomware incidents per year is:

• 2016: 29 incidents
• 2017: 27 incidents
• 2018: 30 incidents
• 2019: 31 incidents (through September 30)

The tracked incidents and the associated data are provided in the downloadable appendix. The number of patient records impacted by these attacks is 4,474,000, though the real number is most likely higher, as not all incidents involved or included patient data information — only 64 out of 113 (57%) included patient notification data.

The conventional wisdom is that healthcare providers are more likely to pay ransoms than other industries. That may be the case, but the data isn’t really clear. In our research, we found that 69 of the incident reports (61%) confirmed the victim did not pay a ransom, 17 of the tracked incidents (15%) confirmed payment, and the rest were unknown.

The perception that healthcare providers are more likely than other industries to pay ransom has led some ransomware actors to actively target healthcare organizations. The team behind SamSam, for example, was known to seek out healthcare providers, especially through exploitable JBoss servers. Of the 88 incident reports we reviewed, most of them did not include the name of the ransomware family used in the attack. Of those that did, Locky was the most commonly used, with seven instances. SamSam was a close second, with six instances. But given that SamSam campaigns were smaller and more targeted in nature, the fact that so many of the reported attacks involved SamSam indicates a heavy focus on healthcare.

One challenge with collecting the data is that not all attacks are reported to HHS. When the Park DuValle health center was hit with a ransomware attack earlier this year, it made the news because they were not able to see patients. However, they did not view it as a reportable incident:

Elizabeth Ann Hagan-Grigsby, Park DuValle’s CEO] stressed, however, that the hackers did not obtain the patients’ information, even though they succeeded in walling off the records from Park DuValle’s own personnel. 'Nothing got exposed; nothing at all,' she said. 'However, we can't read what's in here. It's like having a piece of paper and it's in a foreign language that you don't understand.' She said Park DuValle, which is partially funded by the federal government, has told the U.S. Department of Health & Human Services there was no data 'breach,' and that the organization’s firewalls show there was no 'outgoing data.'">

Many providers also try to minimize the amount of press coverage they get from their ransomware attacks, making research difficult. For example, there was a mention of an attack against Benewah Community Hospital in a presentation from Rueben Koh at Symantec. The incident is also referenced on SecuLore, but there are no references to it in the HHS database, and the original PDF reporting the incident is no longer available. With no local news coverage, the incident has effectively disappeared.

There were a number of incidents like this that were not reported to HHS, and any news articles or public disclosures related to the incidents have disappeared from the internet. This makes it very hard to determine how exhaustive the catalog of ransomware attacks we collected actually is.

We will continue to analyze the data collected and refine the data set as we uncover additional incidents and flesh out information about existing incidents. In the meantime, ransomware attacks against healthcare providers continue to be a problem that is not going away.

To view all tracked ransomware incidents and associated data, download the appendix.