Study Finds 66% Of Healthcare Organizations Experienced Ransomware Attacks In 2021

A recent study published by Sophos has revealed that 66 percent of healthcare organizations experienced ransomware attacks in 2021, a 94 percent increase compared to 2020. Sophos employed research agency Vanson Bourne to conduct an independent survey for Sophos’ annual study of ransomware attacks in the healthcare sector. The study consisted of 5,600 IT professionals, including 381 healthcare respondents in organizations residing in 31 different countries during the period of January and February 2022. 

The survey discovered that two-thirds of healthcare organizations experienced ransomware attacks last year, revealing that cybercriminals’ capabilities to deliver significant attacks is only improving. The healthcare sector was subject to a 69 percent increase in cyberattacks, the highest increase across all sectors. The result of which impacted the healthcare sector significantly with 59 percent of the sector affected, the second most across all sectors. Despite this, the healthcare sector performed better than the cross-sector average for encrypting data, achieving a 61 percent encryption rate. Extortion-only attacks, where data was not encrypted but the organization was kept ransom under the threat of disclosing data, decreased from 7% in 2020 to 4% in 2021 in terms of the percentage of victims. Sophos contend that the reason for this is a result of the healthcare sector’s uptake in cybersecurity insurance. 

78 percent of healthcare organizations are covered by cybersecurity insurance,  with 46 percent of the organizations confirming exclusions or exceptions in their policies in their insurance contracts. Given the increasing frequency of ransomware attacks in the healthcare sector, many organizations are exposed to the full cost of an attack as a result of these gaps in insurance coverage. Cybersecurity Insurance companies can be selective with who they choose to cover. As a result 97 percent of healthcare organizations have implemented changes to their cybersecurity defenses in order to improve their cybersecurity insurance positions. 

The survey revealed that 61 percent of respondents who experienced a ransomware attack admitted to paying the ransom, making the healthcare sector the most likely sector to pay a ransom. This is a drastic increase compared to the 34 percent who paid a ransom in the previous year. The researchers believe the cause for this is an increase in the number and complexity of attacks on the healthcare sector compared to other sectors. However, despite paying the highest numbers of ransoms, the healthcare industry paid the least amount of ransom. According to the study, the healthcare industry only paid an average $197K. Researchers contend that this result is driven by restricted finances of healthcare organizations, especially those in the public health sector. 

The FBI and CISA have advised healthcare organizations who experience ransomware attacks to not pay the ransom as it cannot guarantee that the data stolen by malicious actors will be returned or deleted. Additionally, the FBI has requested that any incidents where possible cyberattacks occurred be reported immediately.