Healthcare organizations are under threat from a rapid increase in ransomware attacks, putting patient health information at risk.
Over a five-year period, the number of ransomware attacks against U.S. healthcare delivery organizations more than doubled, according to a recent study published in JAMA Health Forum. Ransomware attacks within the healthcare industry are particularly devastating, as the cyber criminals can access personal health information (PHI), as well as potentially disrupt care delivery.
[HHS warns healthcare providers of new ransomware threat]
Between 2016 and 2021, there were 374 ransomware attacks on healthcare delivery organizations, exposing the PHI of 42 million patients, according to the study. In addition, over that period, the annual number of attacks more than doubled from 43 to 91. PHI exposure also increased from approximately 1.3 million in 2016 to more than 16.5 million in 2021, the study found.
Among these attacks, 44.4% of attacks, or 166, disrupted the delivery of healthcare. The most common causes of disruption included electronic system downtime (41.7%), cancellations of scheduled care (10.2%) and ambulance diversion (4.3%). Just 32 attacks were associated with a disruption exceeding two weeks.
Across all the 374 reported attacks in the study, 1 in 5 were able to restore data from backups. Unfortunately, for 59 of the attacks, there is evidence stolen PHI was made public, such as on dark web forums “where stolen data are advertised for sale by including a subset of records,” wrote first author Hannah T. Neprash, PhD, of the University of Minnesota, School of Public Health, et al.
“The growing number of attacks affecting large entities (those with multiple facilities) and the associated growth in PHI exposed (along with the diminishing likelihood that an organization could restore data from backups) suggest that ransomware attacks on healthcare delivery organizations have increased in sophistication as well as in frequency,” Neprash et al. wrote.
The findings support other observations that healthcare entities are increasingly targets for ransomware attacks, due in part to the high-value of the PHI they typically store. Researchers noted the number of attacks is likely underreported, potentially due to low PHI exposure, such as those affecting fewer than 500 individuals.
In addition, researchers noted that, over time, more healthcare organizations are reporting ransomware attacks outside of the 60-day reporting period. Part of the issue may be that there are no sanctions for reporting attacks late. When PHI is exposed, the fallout can be very detrimental to healthcare organizations. Patients may no longer trust that healthcare organization, and the cost of an individual data breach has risen to $10 million on average, according to another recent study. Researchers noted that increasing budgets to protect PHI and thwart ransomware attacks may be necessary.