• 
• 
• 

In today’s evolving digital landscape, cybersecurity risks, particularly those involving ransomware, are a high-stakes concern. Hospitals, given the sensitive nature of patient data and the criticality of operations, are prime targets. As an executive in this demanding industry, it is critical that you understand and mitigate such risks as part of strategic planning. This blog post guides you through the process of conducting a thorough ransomware risk assessment within your institution.

Understand Ransomware

Ransomware is a type of malicious software that encrypts data, rendering it inaccessible until a ransom is paid. The impact can range from disrupting administrative operations to hindering clinical care, creating a significant ripple effect throughout the hospital. In a healthcare setting, ransomware scenarios can create life-threatening situations.

Conduct a Ransomware Risk Assessment

1. Inventory & Categorize Assets

Start by identifying all the digital assets across your organization. These typically include medical and administrative systems, databases, hardware, network devices, and even medical IoT devices. Once these assets are inventoried, categorize them based on level of sensitivity and criticality. This step is crucial for prioritizing risk management efforts, because any connected asset could be compromised, could have critical data, and could be the gateway to a much more damaging attack. 

2. Identify Vulnerabilities

For each asset, identify potential vulnerabilities, e.g., unpatched software, weak passwords, outdated hardware, lack of encryption, or even human factors such as lack of training on phishing attempts. Consider engaging a cybersecurity professional to help unearth any hidden vulnerabilities. Medsphere is often called in to provide these assessments, and we find that our experience plus our role as a source of external expertise helps us identify significant risks that might be overlooked or underappreciated by our clients.

3. Evaluate Threats

Understanding the threat landscape is critical to assessing ransomware risk. Threats could come from outside actors like cybercriminals or state-sponsored hackers, or even from within in the form of disgruntled employees. Stay informed about recent ransomware attacks and trends in the healthcare industry. Use this information to evaluate the likelihood of various threats.

During Medsphere assessments, we regularly find that our clients underestimate both the likelihood and the costs of a ransomware attack. In their “State of Ransomware in Healthcare 2022” report, security software and hardware firm Sophos reported that 66% of healthcare organizations they surveyed were victims of ransomware attacks that year, up from 50% in 2021. The average cost of dealing with these ransomware attacks in 2021 was 1.85 million dollars, a 32% increase from the previous year. 

4. Calculate Risk

Risk is typically calculated as the product of the likelihood of an event occurring and the potential impact of that event. For ransomware, the impact can be evaluated in terms of potential operational disruption, financial loss, reputational damage, and harm to patients. Calculating risk will help prioritize preventive strategies and focus you and your team on the most damaging vulnerabilities.

5. Implement Mitigation Strategies

Based on the risks identified, develop strategies to mitigate them, e.g., technical measures such as patch management, endpoint protection, intrusion detection systems, regular backups, and encryption. And don’t overlook organizational measures like staff training, incident response planning, and regular audits, as these often provide the biggest bang for the buck when resources are limited. If you get pushback on spending, remind the financial gatekeepers that $1.85 million on average per attack multiplied by a 66% probability of attack equals $1.1 million in ransomware costs each year. You can’t afford to be average.

6. Regular Reviews

Ransomware tactics continually evolve, so make sure that risk assessments are not a one-time event. Schedule regular risk assessments to stay ahead of new threats and ensure effective mitigation strategies.

—

In every healthcare organization, there is an underlying awareness of costs and a pervasive desire to keep them down, which is completely understandable. Remember, however, that the cost of preventing a ransomware attack is far less than the cost of responding to one, and the data suggests that assuming your facility will never get hit is a risky approach. Medsphere’s security experts have conducted hundreds of assessments for hospitals, physician practices, and healthcare vendors.  We focus on your risks, help identify best practices, and can even assist with implementation if you need that expertise. 

Contact us today to schedule your free assessment and take the first step towards securing your hospital’s IT infrastructure.