There are many reasons the ransomware problem has been hard to stop. One reason is that ransomware is good business. A 2021 U.S. Treasury Department identified more than $5 billion worth of outgoing bitcoin cryptocurrency payments it suspects may have been related to ransomware attacks.
Lee Kim, J.D., has been working in cybersecurity long enough to remember the “bad old days” when hackers committing ransomware attacks would have to resort to creative ways to get their money.
“Oh gosh, in the 2000s, they would ask for payments by way of MoneyPak and prepaid cards and things like that,” says Kim, the senior principal for cybersecurity and privacy at the Healthcare Information and Management Systems Society.
Nowadays, the method of payment has changed. Most hackers want to be paid in cryptocurrency. But the underlying premise of ransomware transactions has not: Hackers sneak into their victims’ networks, hold their data hostage — usually by encrypting it — and demand a payment in order to restore access to the data.
There are many reasons the ransomware problem has been hard to stop. Computer networks have inherent vulnerabilities. The global nature of the crime makes it hard for law enforcement to track down perpetrators. The hackers are smart and sophisticated.
But there’s another reason: Ransomware is good business. A 2021 U.S. Treasury Department identified more than $5 billion worth of outgoing bitcoin cryptocurrency payments it suspects may have been related to ransomware attacks.
Many of those payments may have come from healthcare entities, a prime target for hackers because of the sensitive nature of their data. That sensitivity, in turn, creates a major incentive for healthcare organizations to quietly pay up.
Despite government warnings and pressure, the evidence suggests ransomware attacks remain plenty profitable for hackers. It may not be the bad old days anymore, but in some ways, it’s worse. Ransomware is becoming just another cost of doing business.
It’s hard to know for sure how many ransomware attacks are carried out on healthcare entities but the available data paint a bleak picture.
A study published in December 2022 in JAMA Health Forum showed the annual number of ransomware attacks on healthcare delivery organizations more than doubled between 2016 and 2021, from 43 per year to 91. Nearly 42 million patients had their personal health information exposed as a result of the attacks, and 44% of the reported ransomware attacks disrupted the victims’ ability to provide healthcare.
Those numbers show a clear trend, but they may represent only a fraction of the problem. A report published in June 2022 by the cybersecurity firm Sophos indicated that, of 381 healthcare information technology (IT) professionals it surveyed, 66% reported being hit by ransomware in 2021, nearly double the rate in 2020. Virtually all of those organizations — 99% — ended up recovering at least some of their encrypted data, but many got it back only because they forked over the ransom.
Keeping it quiet
One reason for the difference between the two reports is the methodology. While Sophos relied on a survey of IT professionals, the JAMA Health Forum study was based on reports to a database that includes information from a private cybersecurity company and the federal government’s Department of Health and Human Services.
Karan Sondhi, the chief technology officer for public sector at the cybersecurity consultancy Trellix, says entities victimized by ransomware often do not publicize or report the attacks.
“As long as there’s not an immediate correlation to patient care, the event is isolated to security teams and addressed internally,” he says.
Sondhi says the evidence he has seen suggests a continued upward trend in ransomware attacks. Kim, on the other hand, says the data she has seen suggest the opposite: that the trend has reversed in recent months.
She points to a number of recent developments that could disincentivize hackers or payments to hackers. The turbulence in cryptocurrency markets has disrupted the ransomware industry, which generally relies on cryptocurrency payments, says Kim.
In addition, the Treasury Department has cracked down on people and organizations who pay ransoms to hackers based in countries that are the subject of U.S. embargoes, such as Cuba, North Korea, Iran and Syria. In a September 2021 advisory, the Treasury Department’s Office of Foreign Assets Control said the payment of such ransoms may violate federal law.
The involvement of countries such as Syria and Cuba in ransom attacks may suggest geopolitical motivations for the ransom attacks — and they may not be entirely absent. But the more central motive is the reason Willie Sutton supposedly gave for robbing banks: It’s where the money is. In February 2023, U.S. and South Korean intelligence agencies issued an advisory warning that the North Korean government was sponsoring ransomware attacks as a means to generate revenue to fund broader cyberattacks.
A business model
Despite the warnings and recommendations of government agencies, many healthcare organizations appear to be paying out ransoms. The Sophos report found that 61% of respondents indicated they had paid a ransom to restore their data, though that did not always mean they received all of the data back. On average, those who paid their ransoms saw only 65% of their data returned, according to the Sophos report, and only 2% of the ransom payers got all their data back.
One reason so many entities pay, Kim suggests, might be concerns about the costs of standing up to the hackers. “It could be that the perceived costs associated with recovering from the ransomware (attack) might be perceived as something that’s just too burdensome,” she says. “They’re saying, ‘Let’s get the data back.’”
Sondhi notes that many insurance packages offer coverage for cybersecurity breaches provided that the companies followed baseline security precautions. Such coverage might make it easier for healthcare entities to pay.
However, Sondhi says, many times healthcare companies pay because they feel the hackers have them “cornered.”
“For any CISO (chief information security officer), when a breach occurs and a ransom is demanded, they’re stuck having to either re-create the wheel and potentially alert an entire patient database of a breach or make the problem go away quickly by paying,” he says. He said it’s easy for healthcare executives to feel stuck.
Applying game theory
The conflicting mix of incentives at play in ransomware attacks has prompted a number of researchers to apply the principles of game theory to the decision trees of ransomware attacks. In a 2019 paper published in the Journal of Cybersecurity, Edward Cartwright, Ph.D., of De Montfort University in England, and his colleagues laid out some of the ways in which hackers — and their victims — have advantages and disadvantages.
For instance, criminals have an incentive to be as informed as possible about their victims’ finances, so they have a sense of the victim’s likelihood to pay. “Know thy mark” is one of the first rules of successful thieves.
Hackers also face a choice about how they want to come off.They can benefit if they can make their victims think they are likely to act irrationally if their demands are not met. But they may also want to be perceived as trustworthy bargainers when it comes to keeping their promises if a payment is made.
Cartwright tells Managed Healthcare Executive that it’s something of a balancing act, but he says it is nothing new. “It is a trade-off, but this is a trade-off used in organized crime for time immemorial” he says. “It is a case of ‘Do what I want, and I will treat you well, but cross me and you pay.’”
He says this is the same type of behavior other criminal gangs exhibit because it can boost the likelihood of getting what they want. “They can definitely be nasty,” he says. “Alongside, though, they seem to often honor ransom payments. This then creates that incentive to pay the ransom.”
The main deterrent to an attack, Cartwright and his co-authors concluded, is a good defense. Yet only a “near-perfect” defense structure will work, and that is costly and hard to achieve.
The Criminal’s word
Though healthcare executives might find the prospect of investing in ransomware defenses daunting, Kim says they should also realize that they can never be sure hackers will follow through on their promises. She says there’s a considerable risk ransomware hackers will not honor their word and healthcare firms could end up losing both their data and their ransom payment.
“You’re just simply relying on a criminal’s word,” she says, “and the saying of ‘There’s no honor among thieves’ comes to my mind.”
In some cases, Kim says, hackers haven’t even programmed a decryption module. Even if hackers do return the data, she says, it can be difficult to know whether the hackers actually returned all of the data.
In addition, paying ransoms can come with reputational costs. A 2022 law signed by President Joe Biden set up a new requirement for reporting ransomware attacks and payments, but the details of the new rules are still being drafted by the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). The agency held a series of 10 in-person forums, in addition to the usual written public comment period, in the fall of 2022. The agency is required to publish its proposed rules by March 2024.
Don’t Pay It
Cartwright says such reporting requirements could go a long way toward reorienting the incentive structure so that ransomware targets become less likely to pay up. “So yes, these measures should disincentivize ransom payment,” he says. “But (it is) also worth recognizing that they are not a panacea. There are incentives to pay the ransom, and these measures turn the dial down a little bit.”
Kim says she ultimately urges healthcare organizations not to pay ransoms. Instead, she says there are a number of steps they should take, including basic things, such as installing antivirus software. Healthcare entities should also segment their networks, a process that involves, for instance, putting medical devices on one subnetwork and noncritical systems on another.
Regular risk assessments are important so that organizations keep their cybersecurity defenses up to date. Intrusion-detection systems can also be used to help identify attacks as they are happening.
Some firms are even using so-called “honey pots” to lure in hackers and trick them into disclosing their methods. “It’s just simply a decoy where you could observe what they’re trying to poison your network with,” says Kim.
Sondhi says the healthcare industry as a whole has a long way to go to achieve a high level of readiness. It’s not that the industry has been negligent, he says, but rather that it suffers from a combination of lack of education, minimal investment, and low motivation for change. At the same time, the hackers are quick to innovate.
“In short, the road to readiness keeps getting longer and longer for the industry,” he says.
But Sondhi says healthcare executives do not need to feel overwhelmed because they can start with the small stuff first. He compares it to surgeons who go through a number of safety procedures — putting on clean scrubs, washing their hands, putting on gloves — before they even pick up a scalpel. “The same should be done as it relates to security measures,” he advises. “Take the lower-cost steps first, like patch and update systems, and use a good password manager.”
The People Part Of It
Kim says it is imperative to regularly train staff on best practices to avoid cyberattacks. If a security breach happens, she says, it’s important that healthcare entities have not only procedures in place for reporting them, but also a culture where employees feel safe disclosing such breaches, even if it means admitting they made a mistake.
“It’s the people aspect, I would argue, that is the biggest challenge,” she says.
In the big picture, Kim says the ransomware threat is like a game of tug of war. Some years cyberdefenses and law enforcement have more rope on their side; other years the malicious actors have the advantage. “We’ll see that tug of war,” she says, “but for now, I’d say it’s a little bit more in our favor nowadays.”
Jared Kaltwasser is a writer in Iowa and a regular contributor to Managed Healthcare Executive.