The healthcare industry has become a prime target for ransomware attacks in recent years.
These malicious incursions, wherein an attacker encrypts sensitive files and makes them inaccessible until a ransom is paid, not only severely disrupt operations but also put sensitive patient data at risk. One of the latest victims is Ascension, a leading healthcare provider with 140 hospitals across the US, which suffered a devastating breach in May 2024.
This blog post delves into what happened during the Ascension hack, the financial and reputational costs for the company, and how healthcare companies should approach patient data security in order to fend off attacks like these.
The Ascension ransomware attack: what happened?
On May 8, Ascension experienced a ransomware attack that locked providers out of systems that track and coordinate many aspects of patient care, including systems for some phones, electronic health records, and ones that are used to order medications and tests.
The attackers also managed to infiltrate Ascension’s network, exfiltrating files that contained protected health information (PHI) and personally identifiable information (PII).
The attack is believed to have been carried out by BlackBasta, a well-known ransomware attack group that has won itself more than $100 million via ransomware schemes from 329 organizations over the past two years.
The cost of leaked patient data
It is unknown exactly how many patients had their personal data exfiltrated, but the personal cost of data breaches to said individuals cannot be overstated.
When patient data is leaked, it can lead to:
- Identity Theft
- Personal information such as Social Security numbers, addresses, and medical records can be used to commit identity theft, leading to serious financial and emotional distress for victims.
- Privacy Violations
- Sensitive medical information being exposed can result in embarrassment, stigmatization, and personal harm.
- Trust Erosion
- Patients may become hesitant to share critical information with healthcare providers, fearing future breaches, which can negatively impact the quality of care they receive.
First-class lawsuits were filed by some hospital patients following the attack, alleging that Ascension failed to implement reasonable and appropriate safeguards, such as encryption, to protect the data it holds. The lawsuits allege that the plaintiffs’ protected health information is now in the hands of cybercriminals due to Ascension’s failure to ensure security, and that the plaintiffs and class members face an elevated risk of identity theft and fraud that will continue for numerous years to come.
Financial and reputational costs for Ascension
In addition to the serious repercussions to individuals, the financial and reputational impact of the ransomware attack on Ascension has also been considerable.
The immediate costs of ransomware attacks include:
- Ransom Payment: Although specific figures are often confidential, ransomware demands in the healthcare sector can range from hundreds of thousands to millions of dollars.
- System Restoration: Beyond the ransom, restoring affected systems, enhancing cybersecurity measures, and conducting thorough investigations require substantial financial outlays.
- Operational Downtime: The disruption caused by the attack led to canceled appointments, delayed procedures, and a backlog of administrative tasks, all contributing to financial losses.
- Regulatory Fines: Given the sensitivity of patient data, breaches often result in penalties from regulatory bodies for failing to adequately protect information.
The reputational damage is equally significant. Trust is paramount in healthcare, and a breach can erode patient confidence, potentially leading to a loss of business and long-term harm to the brand.
The need for enhanced data security measures
The Ascension hack underscores the urgent need for healthcare organizations to fortify their cybersecurity defenses.
“We’ve started to think about these as public health issues and disasters on the scale of earthquakes or hurricanes,” said Jeff Tully, a co-director of the Center for Healthcare Cybersecurity at the University of California-San Diego. “These types of cybersecurity incidents should be thought of as a matter of when, and not if.”
Here are some key measures that healthcare companies should be implementing, if not already implemented:
- Advanced encryption of data to ensure the utmost level of security
- Regular security audits
- Employee training to ensure staff are educated on threats and best practices
- Incident response plans to quickly and effectively address breaches
As we’ve seen, ransomware attacks are grave matters, and healthcare companies must take immediate steps to protect themselves and their patients.
Unique Challenges of BYOD Workforces
As ransomware attacks have surged, the adoption of telehealth has also increased, leading to a rise in remote workforces and contractors. In response, many companies are adopting Bring Your Own Device (BYOD) policies, which provide flexibility and cost savings for remote workers and companies alike. However, this shift introduces unique cybersecurity challenges for healthcare organizations. Personal devices used to access sensitive patient data can become vulnerable entry points for cyberattacks if not properly secured.
Healthcare companies must address several key challenges when securing healthcare BYOD workforces:
- Ensuring compliance with HIPAA and other regulatory requirements
- Protecting sensitive data on devices that may not have enterprise-grade security measures
- Managing and securing a diverse array of personal devices used by employees and contractors
- Implementing robust access controls to prevent unauthorized data access
How Venn can help secure patient data and maintain HIPAA compliance for BYOD Workforces
As many of Venn’s customers are healthcare companies, we understand the importance of securing PHI and PII through security measures. That’s why our Blue Border was built in meticulous alignment with HIPAA’s administrative, physical, and technical safeguards – so our healthcare customers can comprehensively comply with these standards and strengthen their data security measures.
Venn is the first purpose-built, patented technology for securing contractors and remote workers on personal or unmanaged devices. Similar to an MDM solution but for laptops – work lives in a company-controlled Secure Enclave installed on the user’s PC or Mac, where business activity is isolated and protected from any personal use on the same computer.
To ensure robust data security, healthcare organizations must protect their back-end systems with a defense-in-depth (DiD) strategy. Venn can play a vital role in this approach by extending zero trust principles to BYOD devices, and encapsulating an organization’s apps and data within the Secure Enclave. This containment prevents users from accessing SaaS and back-end systems from outside the enclave, thereby mitigating data leakage risks. Venn’s built-in Private Company Gateway (PCG) is also secured within the enclave, ensuring that any attempt to connect via the PCG from outside the enclave is blocked.
By utilizing Venn, healthcare companies like Ascension stand to fortify their DiD strategy and better protect themselves against the brutality of ransomware attacks.
If you want to learn more about how Venn supports HIPAA, download our latest whitepaper.