Health care CISOs, in addition to dealing with a deadly pandemic, faced unprecedented cyberattacks in 2020 as hackers looked to cash in on the COVID-19 induced chaos.

Some 239.4 million attempted cyberattacks targeted VMware Carbon Black health care customers last year, according to new data from the security vendor. It also found an average of 816 attempted attacks per endpoint in 2020, which represents a 9,851% increase from 2019.

VMware Carbon Black says the surge began in February as the pandemic began to spread worldwide. In fact, between January and February, attempted attacks against health care organizations increased by 51%. Later in the year, the threat researchers saw attempted attacks peak with an 87% increase from September to October.

Perhaps most concerning about these skyrocketing attacks, however, is the rise in ransomware.

According to Positive Technologies’ third-quarter 2020 cyber threatscape report, ransomware attacks accounted for over half of all malware attacks (51% in Q3 compared to 39% in Q2). Additionally, half of all attacks against health care institutions during the quarter involved ransomware, and this tragically included the first fatality from a ransomware attack against a hospital in Germany.

“Health care was already strained as an industry, and prior to the pandemic they were already facing a wave of ransoms,” said Rick McElroy, head of security strategy at VMware Carbon Black. “That was the No. 1 issue for them in 2018, and unfortunately that not only carries forward into 2020 but was compounded.”

Changes in patient access like telemedicine, growing amounts of patient data and diagnostic information, and pandemic-related emails expanded the threat landscape and provided attackers with plenty of new opportunities, McElroy added. “And so it really created just a ripe environment for the attackers to then throw gas on what they were already doing,” McElroy said.

Additionally, many ransomware groups now offer ransomware-as-a-service, which makes the deployment of ransomware easily accessible to millions of would-be cybercriminals that previously didn’t have the tools.

“Ransomware-as-a-service operations have been around for some time, but they really went mainstream last year,” said Greg Foss, senior cybersecurity strategist at VMware Carbon Black. “And the affiliate programs are really brand new in 2020 as a means of getting the ransomware deployed in a larger subset of businesses.”

These affiliate programs provide a new way for malware developers to get insiders within an organization to deploy their payloads for a cut of the profits. “They’re offering these people 10%, 20% of the ransomware payouts for just simply dropping the ransomware payouts,” Foss said.

Still, 2020 wasn’t all doom and gloom for health care CISOs. They kept their hospitals running while battling cyber attackers and secured networks as hundreds of employees transitioned to working from home. “They were able to drive resiliency, they were able to drive disaster recovery,” McElroy said. “There were better security outcomes and the first I would start with is I don’t think it’s going to be an issue moving forward about CISO inside of healthcare not feeling empowered to do infosec by their boards or not having the budget to do that.”

Additionally, now that health care CISOs have grown accustomed to the new cybersecurity normal, they can take action to secure their organizations in 2021 while supporting remote work, patient care, and new initiatives like large-scale vaccine rollouts.

Looking ahead, CISOs need visibility across remote endpoints. In addition to things like laptops and printers, these network-connected devices also include IoT, and CISOs need to be able to rapidly scale security controls across these devices while also maintaining data privacy and compliance.

“You’ll see an increase in the next-generation of DLP [data loss prevention] tools that make sure that these products don’t just enforce controls at a laptop level,” McElroy said. “They want any place that someone interacts with their systems to have those controls,” for example, freezer storage for vaccines, he added.

CISOs should also ensure that their endpoint protection includes defenses for each stage of ransomware attacks from delivery, to propagation, and encryption. Antivirus products need to track endpoint activity and look for behaviors like privilege escalation and lateral movement within networks, which could signal an attacker’s presence. Additionally, these defenses should prevent encryption by using decoys and protecting local files and boot sequences.

And with health care security at the forefront, CISOs can leverage their collective strength to demand that medical device manufacturers build security into their products, McElroy added.

“CISOs have too many tools, the technology doesn’t always talk to each other, and now they’re going to need to intermingle all of this data to provide analytics over it,” he said. “So the hospitals that have big spending power are demanding that security tools get built into this new technology because they have the buying power. They can demand that of their vendors, and the vendors are responding.”

This also points to the need to consolidate security tools across environments and centralize management of these controls, Foss added.

And, as always, security basics remain an important part of protecting health care systems against ransom. “It’s the boring stuff,” Foss said. “Asset management, understand where your stuff is, understand who has access to those things, bucket your users so that you can make more informed decisions based off of their activities. The organizations that that we’ve talked to that tend to be the best at handling an incident or responding to various threats are always the ones that have done the basics really well.”