Summary: Amid a rising wave of ransomware attacks targeting healthcare systems, hospitals are grappling with sophisticated threats that compromise critical operations and patient safety. These cyber-attacks, often powered by AI and personalized phishing tactics, are forcing healthcare providers to fortify defenses through employee training and stringent data privacy measures to prevent potentially catastrophic breaches.

Key Takeaways:

  • Evolving Cyber Threats: Ransomware attackers are increasingly targeting individual employees using personalized phishing emails made convincing with AI and extensive personal data.
  • High Stakes for Healthcare: Healthcare organizations face particularly severe consequences from ransomware attacks due to the critical nature of their services and the sensitivity of patient data.
  • Strategies for Mitigation: Proactive measures including educating employees on cybersecurity, minimizing data exposure, and implementing strategic defenses are essential to protect against ransomware threats.
By Ron Zayas, CEO, 360Civic

Healthcare organizations are a boon for ransomware attacks from malicious entities since they are mission critical to our nation’s infrastructure. An attack on a retailer may stop customers from buying items online, but when a hospital’s systems are compromised, lives are put at risk. Without essential IT systems keeping processes running smoothly, hospitals may be forced to redirect their emergency departments, sending ambulances to nearby healthcare facilities even if that may not be the best option for the patient. Patient records are blocked. Prescriptions are delayed getting to pharmacies. When every second counts, the consequences of a comprehensive data or administrative failure can be fatal.

Critical Vulnerability: Healthcare and Ransomware Threats

Horror stories about ransomware targeting healthcare providers have been impossible to avoid, mainly because they just keep coming. And because of the dollars and risks involved with service interruptions, hackers know these targets are more likely to pay a ransom to restore access, especially if doing otherwise means exposing millions of sensitive patient records and costly fines for lack of data privacy compliance.

Servers have been hardened to resist ransomware, prompting hackers to change strategies and increasingly target individuals. Employees at every level are susceptible, from the CEO to the receptionist. These well-meaning, hard-working individuals all represent infiltration opportunities and, ultimately, thousands of options for accessing private data, usually without being detected.

Why Do These Attacks Succeed?

An email arrives from your friend, Maria. The email address isn’t her usual one but the greeting is familiar; she references your recent Yosemite trip and other moments you’ve shared and even calls you by your nickname. There’s a link to download some pictures, which you click. And when you do, the damage is done. Hackers have compromised your computer, phone, or tablet with that malicious link. Soon, and with a little patience, they will have access to your network credentials, email passwords, and more. By deceiving recipients with an email that looks authentic, they can target an individual’s professional network, or gain access to people higher up in the organization’s leadership and deliver a ransomware payload.

Sound outlandish? It’s not. In fact, this scenario has become disturbingly familiar. In 2023, 46 healthcare entities suffered ransomware attacks, causing more than 140 hospitals to experience disruption due to the lack of access to IT systems and patient data. According to the Verizon Cost of a Data Breach Report, the average cost of a healthcare data breach reached an astonishing $11 million in 2023, an increase of more than 50% in just three years. In 2022, the average ransom payment was $5,000; just one year later, it was approximately $1.5 million.

The Role of AI in Cyber Attacks

How exactly did phishing emails evolve so quickly from the clumsy “Nigerian prince” cons? Why are these phishing emails now so convincing that users routinely ignore warning signs like suspicious email addresses or, worse, fail to check at all? Two separate trends have combined to create this lucrative vector of attack: the growth of artificial intelligence (AI) and the widespread availability of personal information.

Phishing email without AI

All forms of AI feed on information. As AI has evolved and become more accessible and cost-effective, it was only a matter of time before it was used for malicious intent. When AI is coupled with the explosion of personal information available on the internet from data brokers, social media, search engines, and other sources, automated systems can quickly piece together phishing emails that sound so personal, they entice us to drop our defenses.

Phishing email optimized with AI

There isn’t much any organization can do to stop the tide of AI. But proactive enterprises can cut off its access to data, specifically data related to their potentially vast team of employees. When AI has less information to work with, it is less likely to be empowered to convincingly target an organization’s employees. Some AI systems are already trained to avoid targets with incomplete data sets in favor of those with a more comprehensive profile.

Empowering Employees: The First Line of Defense

Start with these three basic steps: 1. Educate employees. Most healthcare organizations offer at least some training in place to help employees identify the common signatures of phishing emails, texts, and calls in the workplace. However, sophisticated, AI-generated emails and texts are becoming harder to detect. Ongoing, consistent education can help employees stay vigilant, so they don’t click on the kind of email that will infect a work computer.

A Call to Action Against Cyber Threats

Healthcare providers must acknowledge that ransomware hackers will continue their relentless assault, refining their infiltration attempts with the customization now made possible by AI. To address the danger these attacks represent to personnel, patient safety, and professional reputation, as well as the cost of legal and financial liabilities, forward-thinking providers should be exploring preventative and reactive measures as a new standard in strategic, data-compliant business operations.

Considering the increasing volume and cost of ransomware attacks, a more pronounced focus and a small investment today can greatly lower an organization’s likelihood of becoming the next victim.

Ron Zayas is an online privacy expert, speaker, author, and CEO of 360Civic, an Incogni company. 360Civic is a provider of online protection to law enforcement, judicial officers, and social workers. For more insight into online privacy laws, proactive strategies, and best online data practices, download a free how-to guide on protecting yourself at 360civic.com/privacy-resources. Connect with Ron at [email protected].