Healthcare is a data-driven business, storing vast amounts of sensitive personal and medical information, such as social security numbers, medical histories, and financial data, making them attractive targets for exploitation and extremely valuable on the black market. This year alone, over 14 million people were affected by data breaches caused by malware targeting the U.S. healthcare industry. Given the rapid adoption of digital tools, AI, and platforms during and after the COVID-19 pandemic, the attack landscape of healthcare organizations has become increasingly broad and highly attractive to those with ill-intent.
Due to their critical operations and the high probability of financial gain, healthcare organizations have thus become prime targets for ransomware. However, disrupting access to patient data or medical systems can have life-threatening consequences. Because of this, healthcare organizations are more likely to pay ransoms to restore operations quickly and avoid any disruption to care or service to patients who could be adversely affected.
91% of Healthcare Breaches Involve Ransomware
In 2024, ransomware was leveraged in an alarming 91% of malware-related data breaches in the healthcare sector, with Lockbit emerging as one of the most notorious ransomware groups targeting this industry. Lockbit claimed responsibility for the high-profile breaches of LivaNova and Panorama Eyecare, a medical device manufacturer, affecting over 180,000 U.S. patients, and an eyecare company affecting close to 400,000 individuals.
Another significant group, BlackCat (ALPHV), was implicated in the Change Healthcare data breach, where a $22 million ransom was paid under false pretenses, leading to a subsequent ransom demand by another group, RansomHub.
Both Lockbit and BlackCat (ALPHV) operate as Ransomware-as-a-Service (RaaS), allowing them to scale their operations by recruiting affiliates who carry out attacks in exchange for a cut of the ransom payments. This evolving model enables even those with limited technical expertise to launch sophisticated ransomware attacks, increasing the frequency, scale, and impact of these incidents.
Digital Systems Creating Multiple Access Points
The increasing integration of digital systems, such as electronic health records, telemedicine platforms, and the Internet of Medical Things (IoMT) devices, has created multiple access points for attackers. For example, the Cl0p Ransomware group exploited a zero-day vulnerability in MOVEit (CVE-2023-34362), a secure file transfer application, to inject SQL commands and access customer databases. This breach leaked sensitive healthcare information, including treatment plans, from CareSource, a non-profit organization that manages Medicaid, Medicare, and Marketplace programs.
Rise in Phishing and Social Engineering Attacks
Healthcare workers’ focus on patient care often makes them susceptible to phishing and social engineering attacks. Cybercriminals exploit this by crafting targeted campaigns that maliciously trick unsuspecting employees into revealing credentials or downloading malware, as seen in the 2024 Los Angeles County Department of Mental Health breach.
Overall, in 2024, ransomware groups targeting the healthcare sector have exploited several critical vulnerabilities, leveraging well-known flaws to infiltrate networks, escalate privileges, and deploy ransomware. Our data shows about 60% of vulnerabilities leveraged by threat actors against healthcare targeted Microsoft Exchange.
Best Defense Against Threats
To defend against cyber threats, healthcare organizations must implement a multi-layered cybersecurity strategy, focusing on regular updates, strong access controls, and 24x7x365 monitoring.
- Regular updates and patch management: Regularly updating operating systems, applications, and security tools ensures that the latest security patches are applied. For example, vulnerabilities like ProxyShell and ProxyLogon in Microsoft Exchange Server were exploited because many organizations delayed applying patches.
- Strong access controls and authentication protocols: Implementing multi-factor authentication (MFA) reduces the risk of unauthorized access from compromised credentials. Additionally, using Zero-Trust Network Access (ZTNA) and secure SD-WAN, makes sure that only the right people can get into sensitive healthcare systems, cutting down the chances for attacks
- Continuous monitoring: Continuous 24x7x365 monitoring is vital for healthcare organizations to detect and respond to cyber threats in real-time, minimizing the risk of data breaches and service disruptions. With healthcare systems under constant attack, around-the-clock monitoring ensures that any suspicious activity is quickly identified and mitigated before it escalates into a major incident.
- Enlist a Trusted Security Vendor: Engage with a reputable Managed Security Service Provider (MSSP), highly adept at stopping evasive threats and blocking attacks and equipped with the most up-to-date security threat information and innovative solutions to thwart the same.
Bad actors never sleep thus your security protocols should constantly be vigilant, monitoring round-the-clock for any untoward activity. Cyber threats are not a matter of if but when and those healthcare companies best prepared to deal with the same—with the right measures, protocols, monitoring, and trusted security partners—will be the ones that weather the severe ramifications of bad actors’ intent on exploiting any and all vulnerabilities.
About the Authors
Rhoda Aronce and Ashwini Bhagwat serve as Senior Threat Researchers at cybersecurity leader SonicWall. SonicWall’s security solutions, including advanced firewalls and threat detection tools, have successfully prevented over 26,000 attacks in 2024 by providing real-time threat intelligence and rapid response capabilities. To learn more about SonicWall’s findings in its 2024 SonicWall Threat Brief, please visit https://www.sonicwall.com/threat-report.
Rhoda Aronce and Ashwini Bhagwat can be reached directly at [email protected] and [email protected] respectively.
