Led by University of Minnesota Public Health researchers, the Trends in Ransomware Attacks on U.S. Hospitals, Clinics and Other Health Care Delivery Organizations study quantified the frequency and characteristics of ransomware attacks on the healthcare sector from 2016-2021.
WHY IT MATTERS
Ransomware groups are generally aggressive on critical infrastructure like energy, healthcare and government. And the increasing frequency and severity of ransomware attacks on hospitals and healthcare organizations can disrupt operations and patient access for weeks or even months.
The risks of being hit conflate a number of issues – loss of access to critical health data, the high costs of responding to and preventing cyber attacks and threats to patient safety – that have largely shifted focus to the defense of healthcare infrastructure.
For the study, the public health researchers looked at the date of ransomware attacks, public reporting, personal health information exposure, the status of encrypted/stolen data following the attack, the type of healthcare delivery organization affected and operational disruption during an attack.
Some of the key findings are:
- From 2016 to 2021, the annual number of ransomware attacks more than doubled from 43 to 91.
- Almost half, or 44.4% of the cohort, disrupted the delivery of healthcare.
- Thirty-two attacks, or 8.6% of the cohort, led to operations disruptions of more than two weeks.
- Approximately one in five (20.6%) of healthcare organizations reported being able to restore data from backups.
Common disruptions included electronic system downtime, 41.7%, cancellations of scheduled care, 10.2%, and ambulance diversion 4.3%.
Data exposure following an incident is a key concern for ransomware victims as hospitals and healthcare systems are required under HIPAA to protect patient data.
The cohort incidents exposed the PHI of more patients, say researchers.
“For 59 ransomware attacks (15.8%), there was evidence that ransomware actors had made some or all of the stolen PHI public, typically by posting it on dark web forums where stolen data are advertised for sale by including a subset of records,” according to the JAMA abstract.
Researchers noted they found growing lags in reporting ransomware incidents over the study period with one in five attacks not present in the U.S. Department of Health & Human Services Office for Civil Rights database.
As a result, “many of the statistics reported in this article are likely underestimates due to underreporting,” they said.
The absence may be due to low PHI exposure under guidance from HHS that states HIPAA-covered entities and their business associates do not need to report incidents if they demonstrate a low probability that PHI has been exposed.
THE LARGER TREND
The university researchers said that ransomware increasingly affected large organizations with multiple facilities during the study period.
However, cybersecurity experts have said that more recently, cybercriminals know that larger organizations are spending more on cybersecurity protections and are looking at smaller organizations with smaller budgets that are more vulnerable to their exploits.
In June 2022, Sophos found that ransomware attacks on healthcare entities doubled from 2020 to 2021 in a poll of more than 5,000 IT professionals.
“Healthcare saw the highest increase in volume of cyber attacks (69%) as well as the complexity of cyber attacks (67%) compared to the cross-sector average of 57% and 59% respectively,” the Sophos researchers said.
“In terms of the impact of these cyber attacks, healthcare was the second most affected sector (59%) compared to the global average of 53%.”
ON THE RECORD
“This cohort study of ransomware attacks documented growth in their frequency and sophistication,” the researchers said in the study report.
“Ransomware attacks disrupt care delivery and jeopardize information integrity. Current monitoring/reporting efforts provide limited information and could be expanded to potentially yield a more complete view of how this growing form of cybercrime affects the delivery of healthcare.”
Andrea Fox is senior editor of Healthcare IT News.
Healthcare IT News is a HIMSS publication.