Ransomware in healthcare: a global epidemic

In recent years, we have increasingly come across news of cyber attacks on institutions such as clinics and hospitals in the healthcare sector. We also know that criminals tend to target segments that contain large amounts of sensitive data, as this increases the likelihood of paying the ransom that attackers demand. In this case, this information may be related not only to institutions but also to the vital privacy of thousands of patients.

Without having to go back too far, I can list many events that took place in Brazil in 2024, which had a great impact in the press and caused panic in the industry. In April, for example, there was an invasion that caused perhaps the most uproar and outrage in the country: Criminals compromised the data of plastic surgery practices in Rio Grande do Sul and Paraná.

At that time, cybercriminals published medical records and various communications between doctors and patients from a sexual health clinic in Minas Gerais, as well as a number of private images and financial data of patients.

As is already a common practice for these ransomware groups, they published the content on the deep web and demanded a monetary ransom to ensure that the remaining information was not disclosed on open social networks where any ordinary user could see it.

This case was specifically attributed to the Qiulong ransomware group, which was even widely analyzed by Sophos, a company I lead in Brazil, after an incident in which they exfiltrated personal data from the daughter of the CEO of a large company made a splash. link to your company and Instagram profile.

In fact, the same research shows that the gang has also been linked to various attacks in the healthcare sector; In other words, they operate in this segment quite frequently, which proves to be extremely profitable.

The alarming scenario is not only in Brazil

Although Brazilian healthcare institutions face major challenges in cybersecurity, the problem is not only here. In May this year, Ascension, a well-known non-profit organization in the United States, experienced an interruption in its operations due to an attack. To give an idea of ​​the scale of the problem, the company’s healthcare system includes 140 hospitals and 40 facilities for seniors in 19 U.S. states.

Healthcare professionals in the United States have reported numerous ransomware attacks in recent years. Some of these incidents even disrupted the care of thousands of patients and caused millions of dollars in losses to breached institutions.

To illustrate this scenario with numbers, the State of Ransomware in Healthcare report developed by Sophos found that 67% of healthcare organizations globally were affected by ransomware in 2024; This is a significant increase from the 60% reported in 2023.

But this is not the data that attracts the most attention: The sector has increasingly become the target of ransomware groups, and the proof of this is the increase in the number of attacks since 2021. In 2022, this rate was 66%, while in 2021 this rate was 66%. , 34%. In other words, considering the period from 2021 to 2024, the volume of healthcare institutions attacked by ransomware worldwide has almost doubled, from 34% (2021) to 67% (2024).

Other findings through the Sophos report that are worth highlighting is the fact that all organizations interviewed were able to identify the main reasons for the attacks: the “gateway” for ransomware groups was the exploitation of vulnerabilities, and their credentials had been compromised (both received 34% of responses). Soon after, 19% said malicious emails were the main reason.

Why healthcare sector?

Cybercriminals use a variety of techniques, tactics, and procedures (TTPs) to both identify targets of attacks and carry them out. As we have mentioned before, the healthcare sector is one of the sectors that carries the most sensitive information, as it goes far beyond the data coming from the institutions themselves, containing a number of references to the intimate lives of patients, such as bank access, photographs, healthcare services. problems and even details regarding sexual life.

With this information in hand, it’s not hard to understand why this segment is one of the most targeted by cybercriminals, right? Moreover, since it is an industry involving high amounts of money, logic leads attackers to believe that they are more likely to succeed in extorting their targets.

Considering the structure of these organizations, we can attribute the significant number of attacks against hospitals to their increasing implementation of computerized systems, mainly connected to the Internet. So they are naturally more exposed when they don’t have the knowledge of what they need, especially establishing detection and response systems for cyber incidents.

How do you protect yourself?

At Sophos we always say prevention is better than cure. Therefore, the ideal is for organizations to maintain control of their entire company to prevent attacks. To achieve this, it is crucial that employees are constantly trained on how to spot phishing and malicious emails; especially considering that this is one of the main causes of ransomware incidents in the healthcare industry.

Additionally, since they are the main target of ransomware groups, very strong endpoint security needs to be ensured. These protections should include anti-ransomware technology to stop and reverse possible data encryption. Therefore, the earlier the attack is detected and countered, the better. Detecting and neutralizing cybercriminals before they compromise backups will significantly improve outcomes.

Finally, planning and preparation are key elements for the entire company to have an adequate incident response plan that operates 24 hours a day, seven days a week. To be more effective in the event of an attack, it is important for companies to practice restoring data from backups; because this guarantees higher speed and smoothness in the restoration process.

Such an important area as health requires great attention from organizations in this segment. We have noticed a very common pattern regarding the reasons for the attacks, which is why it is so important to invest in employee training and ensure everyone is aware of what they can do to protect themselves. Also, of course, the implementation of fast-acting protection teams in case of possible invasion.