Most healthcare providers are still very vulnerable to ransomware attacks

According to a study released this week by cybersecurity company Clarorty, about 90% of healthcare facilities with the Internet and operating systems are vulnerable to exploitation by ransomware gangs.

The report examined data from more than 350 healthcare facilities and found that 78% of these tax payments were $500,000 or more.

Ty Greenhalgh, head of industry health care industry at Claroty, noted that healthcare cybersecurity incidents are often very expensive because they create a wide range of costs – mainly the inability to provide patient care.

“When the system is locked by ransomware or damaged by a cyber attack, the hospital may be forced to transfer patients, cancel the procedures or resume manual operations, all of which can affect income and patient safety,” he explained.

Greenhalgh added that in addition to service disruptions, the costs could increase due to things like ransomware payments, regulatory fines, class action litigation and the provision of identity protection services for affected patients.

He noted that even simple fees, such as notification letters, can add up quickly even when thousands of people are affected. According to the healthcare organization and its footprint, millions of people may be affected by a cyber attack. For example, cyberattacks that turn healthcare revealed data from 190 million people last year, while Ascension cyberattacks that began last year affected more than 5 million people.

“For example, at a price of $0.15 per letter, the violations that affect 2 million patients are only used for mailing notifications. Combine this with forensic investigations, system recovery, loss of revenue and reputational losses as well as total financial impacts and millions (or even billions of dollars).” Greenhalgh explained.

In his opinion, the most dangerous contact facing healthcare organizations at present are Internet-oriented devices that are known to exploit vulnerability (KEV) related to wild ransomware attacks.

KEV refers to security flaws actively exploited by cybercriminals – posing direct risks to the system and requiring urgent remediation.

“These devices are actively communicating outside the health system, being compromised in attacks against other organizations, and remain the primary target of cybercriminals,” Greenharger said.

He added that the traditional cybersecurity tools and processes that healthcare providers use to manage their IT devices are not adequately addressing these vulnerabilities.

Greenharger said healthcare organizations often strive to maintain best practices for cybersecurity because of the speed at which the threat landscape develops and the complexity of their operating environment.

“Historically, humans are the weakest link, and phishing and social engineering are the main entry points for attackers. However, since 2024, the exploitation of hands-on keyboard systems has surged, making direct hacking of direct systems as common,” he said.

Greenhalgh noted that cybercriminals will not stop targeting healthcare providers, so they cannot completely prevent aggressive hackers from accessing their networks. Instead, he said their focus should be on improving barriers to lateral movement and privilege escalation, a key step in ransomware attacks. These steps enable attackers to propagate through the network, gaining higher levels of access and maximizing damage by encrypting the organization's critical systems and data.

But healthcare providers have a very high task in raising risk barriers, Greenhalgh said.

“This requires strong cybersecurity basics, including device identification, communication mapping, network segmentation and vulnerability management – all of which are difficult to achieve,” he said.

Photo: Whatawin, Get get Images