Ransomware hits healthcare hardest, preys on SMBs

Dive Brief:

Ransomware targeted healthcare more than any other industry, accounting for 29% of total ransomware attacks in 2019, according to cyber insurer Beazley's 2020 Breach Briefing report. Professional services (14%) and financial institutions (11%) rounded out the top three targets.
Ransomware increased 131% from 2018 to 2019. About six in 10 attacks were aimed at small- and medium-sized businesses as they are "easier to exploit," according to the report.
Organizations restoring their systems after a cyber incident could unintentionally ruin an investigation. Beazley described a small healthcare provider that restored its environment after a ransomware attack. However, during the remediation, any forensic evidence for determining if data was stolen was also wiped clean.

Dive Insight:

Beazley has historically seen ransomware limited to only data encryption. Now, ransomware is also stealing data, leading to data breaches.

The healthcare industry is in a unique position when it comes to discussing cyber incidents. Due to the sensitive nature of healthcare providers' patient data collection, the Office for Civil Rights requires entities to treat a cyberattack as they would a breach, until evidence says otherwise.

The Health Insurance Portability and Accountability Act (HIPAA) considers a ransomware attack a security incident with the potential to expose sensitive health information, which could violate privacy rules and constitute a breach, "depending on the facts and circumstances of the attack," according to the Department of Health and Human Services.

Last year Beazley observed ransomware working in "tandem" with banking trojans, including Trickbot and Emotet. "The presence of these trojan artifacts often requires an additional assessment of whether data was also accessed or stolen," according to the report.

Last week a medical company, set to aid in vaccine development for the new coronavirus, was victim of a ransomware attack. The company performed a successful mitigation, but the attackers published data a week later.

The medical company did not pay the ransom and data was exposed. While paying ransoms has the potential to decrypt data, it stops short of system remediation. Shipping giant Maersk underwent a 10-day reinstallation of more than 4,000 servers, 45,000 PCs and 2,500 applications after NotPetya.

The looming disaster recovery costs are understood by cyber insurers, as traditional insurance providers struggle to find their place in the market.

More than one-third of companies in North America and Europe have active cyber insurance policies, according to recent data from Spiceworks. The companies hesitant to adopt policies say they don't see sufficient use cases for it yet or are unsure of the benefits.