Ransomware, Incident Response

Ransomware attack recovery costs top $1.85M in healthcare

Sophos data shows ransomware attacks against healthcare have remained steady in the last year, with a rise in the number of entities paying the ransom demand. (Photo credit: “Nurse station” by Dave Q is licensed under CC BY 2.0.

It costs about $1.85 million to recover systems after a ransomware attack in healthcare, the second highest across all sectors. The hefty price tag, as well as the serious impact to critical operations and patient care, could be driving the spike in providers paying the ransom demand, according to a new Sophos report.

In fact, Sophos data shows healthcare organizations are the most likely to pay ransom demands, in comparison to other industries. 

Sophos compiled the report from a vendor-agnostic survey of 5,600 IT professionals, including 381 healthcare respondents, in mid-sized organizations across 31 countries during the first two months of 2022, based on their experiences in 2021.

Although the data is clearly from a small set of overall healthcare entities, the data is useful in determining how the sector compares with other industries when it comes to responding to and preventing ransomware attacks.

The report comes on the heels of the annual Verizon Data Breach Investigation Report, which highlighted the increase of more impactful ransomware campaigns and run-of-the-mill hacking attacks against the sector, and with it, the rise in data leaks by threat groups.

The Sophos insights show the staggering differences between healthcare and other sectors: the number of provider organizations that paid ransoms after falling victim to attack doubled last year. There were 61% healthcare respondents who admitted to paying the ransom, or 15% more than other sectors.

“The highest increase in the volume and complexity of attacks on healthcare as compared to all other sectors is a likely reason behind their high propensity to pay and overcome their limited preparedness in dealing with such attacks,” the researchers wrote.

The high remediation costs in healthcare stem from its lack of cybersecurity expertise, proliferation of medical IoT devices, vulnerable legacy systems, and operation impacts, “which leads to an inability to quickly remediate vulnerable systems,” they explained.

Notably, despite the volume of ransom payments in healthcare, the sector paid the least to hackers. The report confirms threat groups might be more frequently targeting healthcare, but the demands are lower, with an average of $197,000 per ransom. In fact, more than half of the ransom amounts were less than $50,000.

The researchers noted the low payments likely reflect “the constrained finances of many healthcare organizations.” In fact, just three healthcare respondents said their organization paid $1 million or more in ransom.

However, the average ransom paid by healthcare entities still increased by 33% in 2021. The data point shines a light on the vast disparities between healthcare and other sectors, where there was “an almost threefold increase in the proportion of victims paying ransoms of $1 million or more.”

Of the healthcare ransomware victims, 44% took more than a week to recover and 25% providers took up to a month. The data is consistent with the public incident reports last year, including the Scripps Health ransomware attack that left the systems offline for a month and cost $112 million to recover.

The report also showed gaps in cyber insurance coverage: Approximately 25% of healthcare providers don’t have cyber insurance, and for those that do, about half “say there are exclusions or exceptions in their policies.”

What’s more, nearly all of the healthcare entities with cyber insurance coverage said the process to secure the policies changed within the last year, which has made it harder to secure policies. The impacts include the need for higher cybersecurity measures to obtain a policy, policies are more complex, and fewer companies offer the insurance.

In the last year, healthcare stakeholders have stressed that the spate of ransomware attacks in the sector could lead to this exact result. Indeed, Sophos researchers confirmed the changes are closely linked to ransomware, the single largest driver of cyber insurance claims.

Considering the volume in attacks and rate of ransom payments, the researchers noted the coverage gaps could be exposing entities to the full cost of an attack. 

“With fewer organizations providing cyber cover, it’s a sellers’ market,” the researchers wrote. “They call the shots, and they can be selective about which clients they cover. Having strong cyber defenses will significantly improve an organization’s ability to secure the cover they need.”

On a positive note, these higher cybersecurity expectations are leading to improvements in cybersecurity. However, it could further the gap for under-resource providers that may not have the resources to either purchase the policies at a higher rate, or implement the needed measures.

As the researchers put it, “while cyber insurance can help an organization get to its previous state, it doesn’t cover ‘betterment’, i.e., investing in better technologies and services to address weaknesses that led to the attack.”

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.