More than one-in-five consumers have been impacted by a cyberattack against their healthcare provider in the past year according to the 2020 Consumer Healthcare Cybersecurity Index released today by Morphisec, the leader in Moving Target Defense. This figure is a sharp increase from 2019 when just 6% of Americans stated their healthcare provider had been affected by a cyberattack or data breach.

Ransomware is leading the pack of threats facing healthcare providers in 2020. Rather than broadly deployed cyberattacks or spam, cybercriminals are explicitly targeting healthcare organizations with the goal of exfiltrating data and then encrypting as many computers and servers as possible. One ransomware of choice for malicious parties is BitPaymer ransomware, which first rose to prominence in 2017 when it was used to breach multiple Scottish hospitals.

Morphisec has been closely monitoring the increasing use of BitPaymer ransomware over the last twelve months. In April of 2019, Morphisec found attackers using supply chain solution providers to deliver the Bitpaymer ransomware. In September of last year, Morphisec found that attackers were using an even more creative route to deliver Bitpaymer to enterprises via a vulnerability in the Apple Software Update utility that came packaged with iTunes for Windows.

As Morphisec continues to assist healthcare providers such as Citizens Medical Center and Freeman Health with improving their cyber defenses to thwart ransomware and other attacks, it commissioned the second annual Consumer Healthcare Cybersecurity Threat Index to examine how the increasing amount of healthcare cyberattacks is impacting the mindset of consumers. A survey was administered in February 2020 to 1,000 consumers aged 18+ and weighted for the U.S. population by age, region, and gender.

Additional highlights from the 2020 Consumer Healthcare Cybersecurity Threat Index include:

More than one-in-five consumers express that they would consider switching healthcare providers if they were the victim of a cyberattack. An additional 57% say their decision to switch providers would depend on how the provider handled the breach.
Consumers believe it is increasingly a joint responsibility (61%) between them and their healthcare provider in protecting personal healthcare data, a 10% jump from the previous year.
With the abundance of ransomware attacks, 43% of consumers claim they would be able to determine if it was a ransomware threat versus a more benign adware threat. That was nearly double the percentage of consumers who thought they could decipher the difference between the two in 2019 (22%).
However, despite a growing knowledge of ransomware, when consumers were asked what they believe healthcare IT professionals should do to respond to a ransomware attack, many consumers illustrated they still have more to learn. 11% of respondents said they would have their healthcare provider pay the ransomware demand, despite experts noting that you should rarely pay a ransomware demand to regain access to a network.
One-quarter of U.S. consumers fear their healthcare providers’ web browser defenses are their weakest security link, followed closely by their email phishing defenses (23%) and endpoint security (19%).
“With data breaches costing healthcare providers over $4 billion in 2019 and attacks becoming more sophisticated, it’s no surprise today’s consumers are more aware of the dangers impacting the healthcare industry,” says Andrew Homer, VP of Security Strategy at Morphisec. “Ransomware is nearly three times more likely to be the cause of data breaches in the healthcare industry than within other markets, and therefore healthcare cybersecurity professionals are increasingly turning to lightweight, advanced protection against these threats to harden their security stacks as they migrate to Windows 10, as well as, cloud workload and virtual IT environments.”


About Morphisec
Morphisec offers an entirely new level of innovation to customers in its Endpoint Threat Prevention product, delivering protection against the most advanced cyberattacks. The company’s patented Moving Target Defense technology prevents threats others can’t, including APTs, zero-days, ransomware, evasive fileless attacks and web-borne exploits. Morphisec provides a crucial, small-footprint memory-defense layer that easily deploys into a company’s existing security infrastructure to form a simple, highly effective, cost-efficient prevention stack that is truly disruptive to today’s existing cybersecurity model.