Ransomware Attacks on Healthcare Organizations on the Rise: Study Finds Disruptions and Patient Data Exposure a Growing Concern

A new report has revealed that nearly half of all ransomware attacks have compromised healthcare delivery in the United States. Published in JAMA, the research conducted by the University of Minnesota Public Health researchers investigated the patterns of ransomware attacks in U.S. hospitals, clinics, and other healthcare delivery organizations.

As healthcare organizations have become more reliant on health information technology, they have also become more vulnerable to cyber threats such as ransomware. This malicious software prevents access to electronic systems until a ransom is paid, causing major disruptions to healthcare operations. Ransomware attacks are becoming a major cause of healthcare data breaches, with an increasing number of them being attributed to external hacking rather than internal negligence. The widespread use of ransomware attacks against healthcare organizations has coincided with the COVID-19 pandemic, and news coverage of individual attacks suggests a significant impact on care delivery, with reports of computer systems being disabled or encrypted, appointments being delayed or canceled, and emergency departments being forced to divert ambulances. The financial and human cost of these attacks on healthcare delivery organizations is a growing concern. The aim of this study, the researchers claimed, was to shed light on the growing issue of ransomware attacks on healthcare delivery organizations, by quantifying and describing the extent and effects of this phenomenon.

In order to conduct the study, the researchers created a database called the Tracking Healthcare Ransomware Events and Traits (THREAT) database to gather data for the study. The database was created by combining proprietary data from HackNotice, a cybersecurity threat intelligence company, with data from the US Department of Health and Human Services Office of Civil Rights (HHS OCR) Data Breach Portal, which contains publicly available information on breaches of protected health information. The study followed the Strengthening the Reporting of Observational Studies in Epidemiology (STROBE) reporting guidelines and was deemed exempt from review and informed consent by the University of Minnesota institutional review board.

The study, which was conducted between 2016 and 2021, documented a significant increase in the number of ransomware attacks on healthcare organizations. During the study period, there were 374 attacks which exposed the personal health information (PHI) of nearly 42 million individuals. The annual number of ransomware attacks more than doubled from 43 in 2016 to 91 in 2021, and the exposure of PHI increased more than 11 times from 1.3 million in 2016 to over 16.5 million in 2021. Clinics were the most commonly affected healthcare organizations, followed by hospitals, ambulatory surgical centers, mental/behavioral health organizations, dental practices, and post-acute care organizations. In more than half of all attacks, multiple facilities within the same organization were affected. Of the 374 attacks, approximately 1 in 5 healthcare organizations were reportedly able to restore data from backups, while in 15.8% of cases, there was evidence that the PHI was made public by the ransomware actors. During the study period, the likelihood of restoring the data decreased, and the number of attacks where some or all of the stolen PHI became public increased. The study also found that during the 166 attacks, care delivery was disrupted. This disruption included electronic system downtime, delays or cancellations of scheduled care, and ambulance diversion. The likelihood of an attack being associated with delays or cancellations of scheduled care increased over time, as did the number of attacks involving ambulance diversions, although this increase was only statistically significant at the P<.10 level.

Despite the study’s success, the researchers highlighted several of its limitations. Firstly, the researchers acknowledge that there may have been some ransomware attacks that were not included in their database, THREAT. Such omissions may have occurred due to the attack going unnoticed, being unreported, or not receiving any press coverage. Another reason could be misclassification of the event as a ransomware attack. Further research and collaboration with relevant federal entities is needed to validate the findings of the study. Secondly, the researchers have no information on attempted but failed ransomware attacks, making it difficult to determine the characteristics of healthcare organizations that avoid such cybercrime. Additionally, the researchers cannot explain the changes in the characteristics of ransomware attacks over time. Moreover, the study may have underestimated the severity of operational disruptions and PHI (Protected Health Information) exposure as healthcare organizations might not publicize such details. The researchers noted that the results from multiple sources indicate a similar outcome in terms of attack sophistication and severity. Finally, the study does not shed light on how ransomware attacks affect patients seeking care during such events, making it an important area for future research.

The researchers concluded that the study highlights the growing threat of ransomware attacks in the healthcare industry. It shows that these attacks have resulted in the exposure of sensitive patient information and significant disruptions in healthcare delivery, leading to potential consequences for the quality and safety of patient care. The findings underscore the need for more in-depth research to fully understand the impact of these disruptions on healthcare operations and patient care. As policymakers look to address the issue of ransomware attacks, they must keep the unique needs of healthcare organizations in mind. By focusing on the specific risks faced by healthcare delivery organizations, we can work to prevent future attacks and protect the sensitive information of patients.