Kelly-White By: Kelly White, Founder, RiskRecon by Mastercard

Frequency of Health Care Ransomware Attacks Driving New Proposed 
Cybersecurity Regulations

U.S. Senators are responding to the unprecedented levels of operationally destructive ransomware attacks impacting the health care sector with unprecedented regulations which, if made law, would dramatically change the cybersecurity landscape. The draft legislation isn’t without merit as the health care sector leads all industries in destructive ransomware attacks, accounting for 18.2% of all attacks since 2016, according to RiskRecon’s research.

The stated objective of the Health Infrastructure Security and Accountability Act, proposed by Senators Ron Wyden and Mark Warner, is to “protect health information, protect patient safety, and ensure the availability and resiliency of health care information systems and health care transactions.” The draft bill would require organizations comply with minimum security requirements established by the Director of Cybersecurity and Infrastructure Security Agency (CISA) and the Director of National Intelligence. Organizations that must comply span both covered entities and their business associates, with covered entities including health plans, health care providers, and health care clearinghouses.

As currently drafted, complying with the regulations would bring about a transformative level of risk management. The legislation requires that on an annual basis, organizations:

  • Conduct a security risk analysis that spans both its own organization and its business associates.

  • Document a recovery plan in the event a service disruption occurs.

  • Conduct a stress test to determine if they and their business associates can restore essential functions and implement a plan to address any gaps that prevent orderly and timely service recovery.

  • Engage an independent auditor approved by the Department of Health and Human Services to assess compliance with the minimum standards.

  • Provide a written statement of compliance signed by the chief executive officer and the chief information security officer.

Unlike some regulations, this bill proposes strong accountability for non-compliance. Beyond laying down civil penalties that could be higher than $5,000 per day of non-compliance with documentation, reporting, and audit requirements, the legislation lays out criminal penalties of up to $1,000,000 and 10-years imprisonment for knowingly reporting false information, or willfully failing to submit information in a timely manner.

Events in 2024 strengthen the justification for new, strict rules. King among the events was the extended outage of Change Healthcare in June 2024 which impacted the revenue streams and operations of nearly 80% of US healthcare clinics. Unfortunately, it isn’t uncommon that ransomware events severely impact the ability of care providers to provide medical services. For example, in June 2024, McLaren Health Care had to postpone some surgeries while they recovered systems. In September, the University Medical Health Center, the only level 1 trauma center for 400 miles in East Texas, had to divert emergency and non-emergency patients to other providers.

The disruptive healthcare cybersecurity events of 2024 are not an anomaly. Based on our research here at RiskRecon of over 1,700 destructive ransomware events which materially harmed the ability of organizations to operate, 18.2% were directed at healthcare providers. This does not include business associates such as healthcare plans, data processors, and so forth.

Industry-Distribution-of-Destructive-Ransomware


Setting forth minimum standards of cybersecurity for healthcare organizations will materially shift the risk landscape and reduce destructive ransomware and general data breach events alike. RiskRecon research and general industry forensic analysis of breach events continue to point to the reality that criminals are hunting at the back of the herd, taking down organizations with poor cybersecurity hygiene. For example, in the case of Change Healthcare, criminals gained access to the systems using stolen credentials for a Citrix VPN that didn’t require multi-factor authentication. 

As a provider of cybersecurity ratings, RiskReco35x-Lower-Frequency-of-Destructive-Ransomware-Eventsn continuously monitors the cybersecurity hygiene of millions of organizations. Focusing in on RiskRecon’s population of 150,000 analyst-monitored organizations, those with very poor cybersecurity hygiene, rated as D or F, have experienced a 35x higher frequency of breach events compared to A rated organizations, which RiskRecon observes as having very clean hygiene. Just over 2% of D and F rated companies have had a destructive ransomware event since 2016. In comparison, only 0.06% of A rated companies and 0.29% of B rated companies have suffered a destructive ransomware event.

Destructive-Ransomware-Event-Frequency-by-RatingDestructive-Ransomware-Event-Frequency-Relative-to-A-Rated-Orgs


The cybersecurity conditions underlying the RiskRecon rating reveal just how poor the cybersecurity hygiene is of companies, on average, that fall victim to a material system-encrypting ransomware attack. In comparison with the general population, those that succumb to destructive ransomware, on average, have:

  • 7.2 times more high and critical severity issues in their internet facing systems.

  • 12.2 times more unsafe network services exposed to the internet, such as RDP, telnet, database listeners, NetBIOS, and SMB.

  • 23.7 times higher rate of malicious activity such as botnet communications emanating from their systems to the internet.

  • 6.4 times higher frequency of encryption configuration issues in high value systems that collect and transmit sensitive data.

The Health Infrastructure Security and Accountability Act is currently just proposed legislation. Whether this proposal becomes law or not, it does serve as notice that some increased cybersecurity regulation is forthcoming. Thankfully, lawmakers are not ignoring the fact that our most critical infrastructure – the healthcare sector – is not well positioned to resist the threats to the confidentiality, integrity, and availability of its essential services. Increasing the cybersecurity hygiene and risk management of the sector will reduce the frequency, impact and severity of events plaguing the industry. Whether we get there through regulation or through industry self-governance it doesn’t matter. We all agree that healthcare should be available to all when they are needed.

At one point or another we each will find ourselves critically dependent on healthcare. We all want those life-saving services to be available when we need them.

To learn more about RiskRecon, request a DEMO today!