The latest edition of the annual BakerHostetler Data Security Incident Response Report found that ransomware in 2020 continued to be a threat – and that many cases resulted in lawsuits.
Healthcare was one of the industries most affected by tracked ransomware incidents, second only to education. And for organizations covered by the report, the average initial ransomware demand was a whopping $4,583,090.
“Ransomware matters surged in 2019, with the primary tactic being to encrypt as many devices in the network as possible simultaneously. Then the Maze group changed tactics in late 2019 – it began stealing data before encrypting data,” read the report.
The report continued: “This gave the group two pressure points and caused companies to pay ransoms, even when they restored using backups, in order to prevent disclosure of stolen data. It did not take long for dozens of other threat actors to adopt this tactic.
“And like a gambler using a large stack of chips to buy the pot, these groups were emboldened by their wins to increase their initial demands, sometimes by tens of millions of dollars.”
WHY IT MATTERS
At a time when healthcare system resources already are strained from the effects of COVID-19, ransomware can be particularly devastating.
And although the U.S. Department of Health and Human Services, the Federal Bureau of Investigation and other security leaders advise not to pay out ransoms, some systems do so anyway out of perceived necessity.
In the healthcare industry, the average ransom payout was $910,335 – not quite the $4.6 million ask, but still a hefty sum.
The ransom itself wasn’t the only price systems faced. According to the report, the average forensic investigation cost was $58,963.
The report also notes a growing trend in smaller data-breach class action lawsuits. Of the 20 related to incidents disclosed in 2020, nine involved medical or health information.
The Office of Civil Rights also entered into several settlements involving HIPAA breaches, ranging from $100,000 to $6.85 million.
“While a few enforcement actions were based on the failure to perform a risk analysis or to maintain appropriate HIPAA policies and procedures, others involved lack of encryption or lack of access controls,” read the report.
“The OCR may be looking for low-hanging fruit at this point rather than focusing on a specific aspect of HIPAA,” it continued.
THE LARGER TREND
This year has seen a handful of high-profile ransomware incidents already, with Scripps Health facing a significantly disruptive attack in just the past weekend.
The provider was forced to postpone appointments and halt patient access to its online portal, said local reports.
In April, the radiation treatment software company Elekta announced news of a breach, believed to be ransomware, which impacted at least 170 health systems and hospitals across the country.
And before that, in February, the French health insurance company MNH was hit with an attack of its own.
ON THE RECORD
The BakerHostetler report offered a range of strategies for health systems facing ransomware threats, including focusing on the basics.
“One or more of these three circumstances was present in every ransomware event of impact: no [endpoint detection and response], ineffective backup solution/implementation, open remote desktop protocol,” it read.
“Know where [your backup plans] are stored, what they back up, and what it takes to use them to restore,” it advised.