Ransomware Going Nowhere – Healthcare Beware!

J.S. Held’s Inaugural Global Risk Report Examines Potential Business Risks & Opportunities in 2024

Read More close Created with Sketch.

My friends who were lucky enough to still be employed throughout the COVID-19 pandemic appeared to be split into two camps. Half seemed to be spending much of the day staring out of the window, largely unproductive, the bosses’ gaze concentrating on other areas like the distracted Eye of Sauron. The other half working three times as hard to make up for the colleagues who were furloughed or were unlucky enough to have been cut.

One set of people (neither friends nor acquaintances, I hasten to add) who were on the more productive end of the spectrum, were the ransomware operators.

In the first quarter of 2020, ransomware attacks increased by 25%, according to specialist insurer Beazley. In that period, attacks on manufacturing rose by a whopping 156%.

Honda was forced to completely shut down all production in early June after being infected by EKANS ransomware. Threat intelligence firm Dragos analyzed this variant in depth. It targets industrial control systems, which may suggest that Honda was specifically targeted. But EKANS is a blunt tool, as Dragos point out, and let’s not forget most worldwide car production halted because of the pandemic. The timing could have been much worse for Honda, while perhaps being much better for the attackers.

What is much more worrying, however, is just how often hospitals and healthcare providers fell victim to ransomware attacks. Just shy of a quarter of all attacks in January through March 2020 were against the healthcare sector; as much as the financial sector.

This happened despite a pledge by ransomware groups that they wouldn’t deliberately target hospitals during the pandemic, and would provide decryption keys if they were ‘accidentally’ infected. Hmmmm.

Healthcare is a prime target for hackers of all kinds. Modern hospitals which suddenly have no access to data will have a hard time managing admissions and discharges. They keep financial data, credit card details, and social security numbers. And what is more sensitive and important data than patients’ health records? There is potential for a huge return on the hackers’ investment from a hospital where down time is a life-or-death issue.

Rangely District Hospital in Rio Blanco County, Colorado, issued a ’Notice of Privacy Incident’ following a ransomware attack that occurred in April 2020. Names, dates of birth, social security numbers, diagnoses, and conditions were among the types of data encrypted in the attack. Apparently the data was not stolen by the attacker, but this is becoming increasingly common in so-called “double extortion” events, as described by Check Point research.

With an excellent and well-tested backup strategy, hospital administrators will still be tempted to pay a ransom to recover encrypted data. Even then, and even if one of those well-meaning ransomware groups offered the decryption software, there’s no guarantee of timely recovery. As reported in Health IT Security, research suggests that paying the ransom can double the recovery cost.

Ransomware prevention, response, and recovery need a strategic plan all to themselves. Consider just the insurance aspect:

  • Do you have cyber attack insurance suitable for your industry and the data you hold?
  • Does the cyber attack policy insure against ransomware? Often, that requires separate coverage.
  • Are there exclusions that limit liability if you are in breach of compliance, such as HIPAA? An auditor investigating a ransomware incident might find the compliance failure that invalidates your policy.
  • Does your policy cover actions by malicious state actors? Even defining a so-called cyberwar is problematic.

An expert risk assessment will tell you whether your existing security policies and posture offer adequate protection. Additionally, a CISO on-demand can provide expertise to create and realize the IT security strategy that will effectively deal with ransomware and other cyber threats.


We would like to thank Kevin Gorsline for providing insight and expertise that greatly assisted this research.

Kevin Gorsline is a Managing Director in J.S. Held's Global Investigations Practice who joined following J.S. Held's acquisition of TBG Security. For several years, Kevin served as the Chief Operating Officer and head of the Risk and Compliance practice at TBG Security, where he was responsible for providing the leadership, management, and vision necessary to ensure that the company had the proper operational controls, administrative and reporting procedures, and people systems in place to effectively grow the organization and to ensure financial strength and operating efficiency. His experience and leadership throughout his career have been focused on developing and delivering information security services and solutions, providing outstanding client service, and driving profitable revenue growth. Kevin brings established proficiency as an IT leader with extensive experience in risk and compliance services, applications development, and implementation projects both in the United States and abroad.

Kevin can be reached at [email protected] or +1 843 890 8596.

Find your expert.

This publication is for educational and general information purposes only. It may contain errors and is provided as is. It is not intended as specific advice, legal, or otherwise. Opinions and views are not necessarily those of J.S. Held or its affiliates and it should not be presumed that J.S. Held subscribes to any particular method, interpretation, or analysis merely because it appears in this publication. We disclaim any representation and/or warranty regarding the accuracy, timeliness, quality, or applicability of any of the contents. You should not act, or fail to act, in reliance on this publication and we disclaim all liability in respect to such actions or failure to act. We assume no responsibility for information contained in this publication and disclaim all liability and damages in respect to such information. This publication is not a substitute for competent legal advice. The content herein may be updated or otherwise modified without notice.

You May Also Be Interested In

Podcast: Reinventing Professionals – Transforming the Approach to Digital Investigations and eDiscovery

Expert Chantelle Jalland speaks with legal analyst Ari Kaplan to examine how high-tech evolution is making the practice of law more cost-effective and efficient....


Fidelity Investigations: A Comprehensive Guide to Successful Claims Outcomes

This article covers basic aspects of a fidelity investigation, from inception to recovery of stolen funds....


Analyzing the Growth Trajectory of India’s Global Capability Centres

We provide a detailed analysis examining the growth trends of Global Capability Centres (GCCs) and explore the opportunities and challenges that lie ahead....

Keep up with the latest research and announcements from our team.
Our Experts