Ransomware attacks pose a growing threat to health care providers, a new study finds, with consequences ranging from exposed patient data to disabled electronic health record (EHR) systems to ambulance diversions and canceled surgeries.
The study’s authors examined the number and characteristics of ransomware attacks on clinics, hospitals, and other types of health care delivery organizations from 2016 through 2021. They created a database for the study by combining information from a cybersecurity threat intelligence company and the Office of Civil Rights at the U.S. Department of Health and Human Services. The latter is responsible for collecting information on data breaches that involved protected health information (PHI).
From their data, the researchers were able to document 374 ransomware attacks during the period, with the annual number increasing from 43 to 91. PHI exposure grew from approximately 1.3 million to more than 16.5 million individuals, with an overall total of nearly 42 million during the period.
In addition, the authors found that as the number of ransomware attacks grew, so too did the likelihood that some or all the stolen PHI would be made public. That was the case in 14% of attacks in 2016, compared to 22% of attacks in 2021. At the same time, the number of ransomware targets restoring encrypted or stolen data was diminishing, from 35% in 2016 to 14.4% in 2021.
Health care clinics were the most frequent targets, accounting for about 58% of attacks during the period. That was followed by hospitals (22%), ambulatory surgical centers (15%), and mental/behavioral health, dental and post-acute care providers.
In terms of the consequences ransomware attacks posed for care delivery, the most frequent was disruption to EHR systems, often causing providers to switch to paper charts. Other types of disruptions included ambulance diversions and canceled patient appointments.
The authors suggest that legislation requiring disclosure of more information surrounding ransomware attacks, such as ransom demand amounts and whether the ransom was paid, could help targets of such attacks decide how to respond. They note that the FBI strongly discourages giving in to ransom demands on the grounds that doing so incentivizes further attacks. Moreover, there have been cases where organizations that have paid ransoms have received further demands or been given nonfunctional decryption keys. Thus, “additional ransom payment disclosure requirements would enable a better understanding of the potential tradeoff between financial cost and operational disruption duration.”
The study, “Trends in Ransomware Attacks on US Hospitals, Clinics, and Other Health Care Delivery Organizations, 2016-2021” was published online December 29, 2022 on JAMA Health Forum.