Healthcare Ransomware in 2023: In Like a Lion…

It’s hard to believe, but the first quarter of 2023 is behind us and Spring is well sprung. There is an old saying when describing springtime: In like a lion, out like a lamb. I wonder if the same can be said for the state of ransomware in healthcare for 2023. At this year’s American Hospital Association (AHA) Rural Leadership meeting in San Antonio, I continually heard that a top concern from attendees is ransomware. How are hospitals being targeted? Who is targeting them? How should they plan and prepare for a breach and how do they ensure resiliency during the downtime?

2023 has been busy in the healthcare sector with regards to ransomware.

January saw the first ever reported apology of a ransomware gang (LockBit) after an affiliate encrypted the systems of Hospital for Sick Children (SickKids), a teaching and research hospital in Toronto on December 18th, 2022. As part of the apology, LockBit offered to provide to the facility a free decryptor. Ransomware is a business, and locking up the systems of people trying to help sick kids is bad publicity. The take-away here is, do not rely on ransomware gangs to grow a conscience.

In February 2023, HC3 issued a warning surrounding the ransomware gang, Clop (sometimes stylized as Cl0p). This Russian-linked ransomware as a service (RaaS) group claimed responsibility for a mass attack on more than 130 facilities using a zero-day vulnerability found in a secure file transfer protocol. Clop disguised infected files to look like medical records to be reviewed. By requesting a medical appointment from a facility and a subsequent request to review these malicious files, they are counting on medical providers and nurses to follow a standard chart review process.

According to Lehigh Valley Health Network, another Russian-backed group, BlackCat, has posted sensitive information—in the form of images of patients receiving cancer treatment, along with personal health information (PHI) — on the dark web. BlackCat is known for employing a triple extortion method; to date, 47% of their victims are in the United States.

BianLian is a relatively new ransomware gang that became active in 2022. They have demonstrated that they are highly capable at network penetration, moving laterally within a network with stealth and patience, exfiltrating valuable data to use to amplify their data extortion threats, and causing massive network disruptions when they desire. However, since January 2023, the group has not even seen the need to encrypt networks of their targets. Instead, they have focused on customizing threats of data leaks, regulatory ramifications, and legal liability for their victims to successfully convince them to pay the ransoms. The healthcare sector was the number 1 industry that BianLian has victimized since they emerged.

The year has come in like a lion and, unfortunately, I do not see it slowing down anytime soon.

In a recent publication, the Journal of the American Medical Association (JAMA) wrote that, from January 2016 to December 2021, the US healthcare system self-reported 374 unique ransomware attacks – affecting the PHI of nearly 42 million patients. During that time, the number of annual ransomware attacks doubled from 43 to 91 with 44.4% of these attacks disrupting patient care. Only 1:5 victims were able to successfully restore from backups.

In 2022, 24 hospitals and multihospital systems were attacked and over 289 facilities were potentially impacted. Healthcare has the highest payment rate of any other industry, has valuable data in the form of PHI, and a historically inadequate security posture.

The takeaway from this is clear: Healthcare systems need to prepare their facilities and infrastructure for a ransomware attack (under the assumption that they are already an identified target) and assign an appropriate sense of urgency to this effort.

Cybersecurity vendors have historically overpromised and underdelivered on solutions across the board, and this is widely evident in healthcare. Solutions created for the Federal and financial sectors are shoehorned into the industry, much like a square peg in a round hole. Promises of dashboards for easy viewing, without consolidation, have created a world where healthcare IT (Information Technology) administrators spend a sizable portion of their time on SecOps (Security Operations) and not the “regular” work they are expected to accomplish daily. When a breach happens, the expertise required to reduce the blast radius of the attack is not available and, in many cases, those with that expertise do not engage until the cybersecurity insurance forms have been filled out and a vendor selected. All the while, the situation gets worse, critical minutes tick by, and patient care is adversely affected.

We can and need to do better.

Ok, great… thanks for pointing out what we already know, do you happen to have something useful for us to use?

As it turns out, yes.

In a previous publication, Healthcare Cybersecurity Grand Rounds: Six Steps to Delivery a Proactive Security Plan, we detail actions that you can take to protect your environment and reduce your organizational risk.

In the upcoming weeks, [redacted] will participate in a podcast with the AHA addressing the state of ransomware in the healthcare sector and identifying specific actions that you can take now to significantly reduce your attack surface. Additionally, we will host a virtual event in which our experts across healthcare, advisory, and incident response will help define areas to focus on policy, operational changes, and technical requirements to properly position yourself and your facility.

[redacted], a preferred cybersecurity partner for Healthcare Security Services (HSS) and Incident Response (IR) with the AHA, partners with providers and entities within the healthcare sector. We leverage our renowned expertise within the intelligence community and unmatched Professional Services teams to deliver solutions built to meet industry specific needs to meet regulatory requirements, focusing on preventing the preventable, speedy detection of the unpreventable, and responding/recovering quickly and effectively.


[r Authors

Portrait of Paige Peterson Sconzo

Paige Peterson Sconzo

  • Director of Healthcare Services

As a medical provider, Paige brings over 15 years of direct patient care to her cybersecurity expertise. She is a pioneer in the now ubiquitous synchronous telehealth delivery practice. Early in her career, Dr. Peterson Sconzo recognized the importance of rigorous cybersecurity practices and became passionate about addressing that need in the healthcare field. She left private practice in 2019 to focus on bridging the gap and ensuring the cybersecurity industry addressed the unique needs of healthcare professionals and facilities.

Portrait of Adam Flatley

Adam Flatley

  • Vice President of Intelligence

Adam Flatley has over 20 years of cybersecurity and intelligence operations experience. He is the Vice President of Intelligence for [redacted], where he’s worked since mid-2020. In this role he drives the collection, analysis, and production of actionable intelligence for clients, partners, and the general public. Before joining [redacted], he served for two years as the Manager of Global Intelligence Operations for Cisco Talos’ Threat Intelligence & Interdiction team.

Prior to his time at Cisco, he served for fourteen years at the National Security Agency (NSA) in various operational capacities, most recently serving as the Director of Operations of a cybersecurity operations organization which was responsible for incident response, red teaming, vulnerability assessments, and threat hunting on critical networks. Earlier in his career at NSA, he distinguished himself by founding several new organizations within the Agency in order to meet cutting edge challenges posed by emerging threats or changes in technology to support counterterrorism, counterproliferation, and cybersecurity missions.

Speak with our technical team.