The report titled, “The State of Ransomware in Healthcare 2022″ said in 2021, 66% of healthcare organizations were hit, while 34% were hit the previous year.
The Sophos data that surveyed 5,600 IT professionals, including 381 healthcare respondents, in mid-sized organizations across 31 countries, including India during the first two months of 2022, showed that healthcare organizations are the most likely to pay ransom demands, in comparison to other industries.
“Ransomware in the healthcare space is more nuanced than other industries in terms of both protection and recovery,” said John Shier, senior security expert at Sophos. “The data that healthcare organizations harness is extremely sensitive and valuable, which makes it very attractive to attackers,” he added.
The report comes on the heels of the annual Verizon Data Breach Investigation Report, which highlighted the increase of more impactful ransomware campaigns and run-of-the-mill hacking attacks against healthcare, alongside, the rise in data leaks by threat groups.
The Sophos data further showed the number of provider organizations that paid ransoms after falling victim to attack doubled last year. There were 61% healthcare respondents who admitted to paying the ransom, which is 15% more than other sectors.
“The highest increase in the volume and complexity of attacks on healthcare as compared to all other sectors is a likely reason behind their high propensity to pay and overcome their limited preparedness in dealing with such attacks,” Shier said.
The high remediation costs in healthcare stem from its lack of cybersecurity expertise, increase of medical internet of things (IoT) devices, shoddy legacy systems, and operation impacts, “which leads to an inability to quickly remediate vulnerable systems,” he added.
Notably, despite the volume of ransom payments in healthcare, the sector paid the least to hackers. The report confirms threat groups might be more frequently targeting healthcare, but the demands are lower, with an average of $197,000 per ransom. In fact, more than half of the ransom amounts were less than $50,000.
The researcher also noted the low payments likely reflect “the constrained finances of many healthcare organizations.” In fact, just three healthcare respondents said their organization paid $1 million or more in ransom.
Nonetheless, the average ransom paid by healthcare entities still increased by 33% in 2021, an almost threefold increase in the proportion of victims paying ransoms of $1 million or more.
The report also showed gaps in cyber insurance coverage; approximately 25% of healthcare providers don’t have cyber insurance, and for those that do, about half said that “there are exclusions or exceptions in their policies,” the study said.