Status Report Concerning Ransomware Attacks on Healthcare Organizations

by | Oct 5, 2024

The State of Ransomware in Healthcare 2024 report by Sophos revealed that ransomware attacks on healthcare organizations continue to rise, even as incidents in other industries have declined. Across all sectors, the percentage of organizations reporting a ransomware attack in the past year dropped from 66% (2023) to 59% (2024). However, healthcare organizations have seen the opposite trend. In a survey of 402 healthcare institutions, 67% reported experiencing a ransomware attack in the last 12 months, it was 60% in 2023 and 66% in 2022. Healthcare now has the second-highest attack rate globally, following central and federal governments at 68%.

Ransomware attacks in healthcare were also more damaging than in other industries. On average, 58% of healthcare devices were affected during these attacks, with 7% of incidents impacting over 91% of devices. Sophos attributes the high number of compromised devices to outdated technologies and weaker infrastructure controls, making it harder to prevent attacks from spreading across systems.

Ransomware attacks in healthcare commonly exploit vulnerabilities and compromised credentials, both accounting for 34% of attacks. Malicious emails and phishing attempts have declined slightly, while brute force attacks increased from 1% to 4% between 2023 and 2024.

The time required to recover from these attacks is also on the rise. In 2024, 37% of the recovery of healthcare organizations from a ransomware attack took more than a month, compared to 28% in 2023. Only 22% of healthcare organizations were able to recover in under a week, whereas 47% managed to do so in 2023.

Ransomware groups commonly use double extortion tactics, where they steal data before encrypting files. Even if an organization can recover its data from backups, many still pay the ransom to prevent the leakage of sensitive information. Data theft has been so successful that extortion-only attacks (without encrypting files) are becoming more common, although only 1% of healthcare organizations reported experiencing such an attack in 2024.

Sophos found that 74% of ransomware attacks in the healthcare sector included data encryption, with 25% of attacks blocked before encryption occurred. Data theft and encryption occurred in 22% of cases, a drop from 37% the previous year. Attackers often target backups to hinder recovery efforts. In 95% of healthcare ransomware attacks, backups were attacked, and 66% of those attacks resulted in compromised backups, leading to a higher likelihood of ransom payment.

While 98% of healthcare organizations managed to recover encrypted data, 73% relied on backups to do so. Ransom payments for data recovery rose from 42% in 2023 to 53% this year. Sophos reported that the average ransom demand in 2024 was $4 million, with 65% of demands exceeding $1 million, and 35% exceeding $5 million. The median payment was $1.5 million, while the average ransom paid was $4.4 million. Only 15% of healthcare victims paid the full initial ransom demand, with 85% either negotiating a lower payment or ending up paying more.

In 2024, the average recovery cost for healthcare organizations, excluding ransom payments, was $2.57 million, higher than the $1.82 million in 2023. The median recovery cost was $750,000. HIPAA requires training healthcare organization employees to identify and report ransomware attacks to the Cybersecurity and Infrastructure Security Agency (CISA) or other law enforcement and government agencies. About 61% of healthcare organizations that reported received support in managing the attack, 59% got help with the investigation, and 41% got help in encrypted data recovery.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Please enable JavaScript in your browser to complete this form.

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy