Cyber criminals now attacking smaller health care targets

For most of this decade, cyber criminals have preferred to attack large hospitals with deep pockets – but that’s changing rapidly.

Bad actors are now setting their sights on group practices and radiology clinics because their main aim is to steal and sell data, not use encryption to lock down a system.

A new study from NYU’s Tandon School of Engineering reveals that so-called “Ransomware 3.0” doesn’t require a team of coders, so attackers can target smaller victims that were previously considered unprofitable.

A recent report from Sophos shows that encryption events in health care are dropping dramatically: from 74% of victims in 2024 to just 34% last year. The report notes that extortion-only attacks (where data is stolen without locking down entire systems) have tripled since 2023.

This is mainly due to the high value of stolen health records, which are more valuable on the Dark Web than credit card numbers. Medical records can be used for account hijackings, tax/insurance fraud, and a variety of scams.

Last year, one hospital vendor’s email system was compromised and the culprit sent the hospital a bogus email saying ‘Here’s the new routing number for our accounts receivables’. The hospital then sent money to the phony routing number, where it instantly vanished.

The Sophos study also found that these kamikaze strikes are causing the ransom demands to plummet. In 2024, the average demand was a whopping $4 million. Last year it dropped to just $343,000. Actual payments also dropped, averaging just $150,000 per incident. That’s a sum that most physician groups and radiology practices can easily pay – and many of them are choosing to pay rather than suffer the embarrassment and legal/compliance consequences of stolen health records.

Smaller health care organizations often pay ransoms because they assume that the attacker is probably a newbie who wants to build a reputation as a benign thief who actually does return the data once the ransom is received. That way their next victim will be more likely to likewise fork over the ransom.

The trend is just the opposite for large health care organizations. Most of them push back aggressively because they have robust recovery teams. It’s in their best interest to stall the intruder to buy more time for recovery. In fact, many cyber insurance carriers require them to use this tactic as a matter of due diligence. Failure to do so can even result in forfeiture of a cyber insurance payout.

Your best protection: Stronger governance

The latest advances in ransomware technology have ushered in a new era: Ransomware-as-a-Franchise (RaaF). Ransomware is essentially becoming automated, and there are more novices and fortune-seekers out there than ever before. They’re armed with sophisticated tools that operate without many of the red flags that endpoint detection systems are designed to spot.

Paying a $150K ransom probably won’t sink a small health care organization, but ten of those per year could be financially crippling.

The best way to protect your organization from smash & grab attackers is to shore up governance oversight. It’s not enough to simply have security controls in place. You need procedures that validate the controls.

Your ideal Managed Security Service Provider (MSSP) should offer not just technical expertise but a proven track-record in making governance recommendations and validating the controls you’ve established.

Scott Doerr, CISSP is a vCISO at Fortified Health Security, headquartered in Brentwood, Tennessee.