Industry Focus: Healthcare

As we saw in the previous section, healthcare seems to have become a focus for ransomware threat actors this year, so we’re looking a little deeper into the broader healthcare field within the Corvus book of business. We put together a grouping of industries that are likely to share in one key characteristic: being in custody of PHI. Attackers know this data carries with it heavy regulatory penalties for exposure or mismanagement, making these entities (theoretically) more likely to comply with demands.

Claim costs in Health Care

Healthcare saw significantly higher average claim costs through 2020 and 2021, but rapidly approached the mean in 2022.

Since this data is drawn from the Corvus book of business, the reduction in claim costs is likely due in large part to underwriting standards that mandated more stringent security controls, including multifactor authentication, strong backup strategies, and the use of endpoint detection and response (EDR) tools. These controls greatly reduced the severity of incidents for companies who implemented them, leading to a 50% reduction in incident costs. Healthcare organizations, in general, also cracked down on threat awareness and preparedness amongst employees following the spike in attacks in 2020 and 2021, contributing to the decrease in overall claims.

What’s driving claims in healthcare? On the surface, it’s the same causes of loss we see across our book of business, even down to the rank order. Looking closer, though, there are some differences visible in the percentages of each category. While the category covering business email compromise (BEC) and fraudulent funds transfers (FFT) accounts for about a third of cyber claims at Corvus, all time, for healthcare the figure is just 21%, showing a broader distribution of claim types.

Another notable difference is the relative frequency of Vendor Breach claims, which is 4x higher within healthcare than it is across industries, likely due to US regulations around protected health information (PHI). (To illustrate this type of situation: think of a hospital that outsources MRI scans for some patients to a third party, which houses those patients’ information. If the MRI vendor experiences a breach they are required to notify the hospital, and the hospital in turn is required to notify the affected patients. This triggers a Vendor Breach claim for the hospital). Claims labeled “third-party ransomware” are also noticeably higher in healthcare for the same reason, since ransomware often involves access and exfiltration of data by the threat actor, thus triggering notification requirements. Notable healthcare vendor breaches in this timeframe include Shields Healthcare Group in March 2022, and OneTouchPoint in July 2022.

Ransomware in healthcare drives a lot of conversation in the media because of the drastic possibilities it could entail — think shutting down critical systems that make a hospital function — but healthcare organizations tend to be resilient, with 25% lower likelihood of paying a ransom. Healthcare organizations tend to be better prepared to backup their systems in the event of a ransomware attack, and are therefore less likely to pay the ransom than average. However they do see a larger average ransom payment when they do pay.