Ransomware is a type of malware that attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker, until a ransom is paid. Once the target’s data is encrypted, the ransomware directs the victim to pay the ransom to the hacker, typically a cryptocurrency like Bitcoin, to receive a decryption key. Hackers also use ransomware to steal private data.
The MSPH’s study found that the annual number of attacks on healthcare providers more than doubled from 2016 through 2021 for a total of 374, and resulted in the disclosure of private healthcare information impacting almost 42 million people. The number of patients whose healthcare information exposed went from 1.3 million in 2016 to 16.5 million in 2021. About 75% of the reported attacks included disclosures of protected health information. About 20% of organizations reported being able to restore their data, and in about 16% of attacks there was evidence hackers made the stolen information public.
These attacks can be severely disruptive with almost half of the 374 attacks resulting in care delivery disruptions, some exceeding two weeks. In past instances attacks have also prevented access to health care records, forced providers to use paper documentation, hindered or delayed care to patients, forced emergency rooms to turn away ambulances, and have even forced some practices to close.
Of the 374 ransomware attacks the MSPH study identified, 290 were reported to HHS but over 50% of those were reported outside the mandatory 60-day reporting window, and it is likely the actual number of attacks was underreported in general. Some of the reporting issues may be the result of attacks not triggering reporting requirements, such as where evidence indicates that data was encrypted by the attack, but not viewed or exfiltrated. As stated by Elizabeth G. Litten, Chief Privacy & HIPAA Compliance Officer for Fox Rothschild, LLP “the shadow of possible regulatory penalties and the proliferation of class action lawsuits stemming from reported breaches, let alone the cost of providing notice and responding to regulators’ investigations, may discourage breach reporting. These things also penalize the breach victim, even where the breach was not easily preventable.”
After an attack, healthcare providers may weigh making the ransom payment to reduce patient harm, but the FBI strongly encourages attacked entities to not comply with ransom demands as it motivates more attacks. Paying a ransom also does not mean an end to the ordeal. There are numerous examples of hackers making additional demands after being paid, not providing an encryption key, not providing a fully functional key, or not removing all the malware.
Because there is a limit on what can be done after an attack, healthcare organizations should take proactive defensive measures. Despite the frequency and sophistication of attacks increasing, studies have indicated cybersecurity defense represents less than 10% of healthcare IT budgets. Ransomware attacks often come via phishing emails to susceptible healthcare employees — meaning an institution’s best defense is only as strong as its weakest employee. Since these attacks will continue to grow in frequency and sophistication, resources invested in employee training and education should be prioritized.