Healthcare ransomware attacks have increased twofold in the past 5 years, file recovery from backups has dropped, and it is now usual for information to be stolen and released to the public right after a successful attack, as per new research just published in the JAMA Health Forum.
It is quite difficult to accurately track healthcare ransomware attacks, since ransomware isn’t always mentioned in breach reports and press announcements, and ransomware gangs usually don’t freely divulge their attacks when they receive ransom payments, making it problematic to know the degree to which attacks are escalating or regressing. With more comprehensive reporting of cyberattacks, congress would have specific facts to make their policy decisions.
The details for the research were gathered from the Tracking Healthcare Ransomware Events and Traits (THREAT) database, consisting of data obtained from different sources for example the HHS’ Office for Civil Rights breach portal, PR releases from victims, media reports, HackNotice, and dark web monitoring. The researchers agree that as a result of the not enough proper reporting, the volume of attacks has most probably been under-reported. Some cases are likely reported not as ransomware attacks but as malware incidents, as there is no talk of ransom demands. These attacks are normally not included in the statistics. However, the researchers feel their database is the most precise log of healthcare ransomware attacks. They explain that if a case is not included in the THREAT database, that means it wasn’t reported as a ransomware attack to HHS OCR, it wasn’t detected by HackNotice web crawler surveillance nor the tracker of dark web forums, and it was not mentioned by the press in local news or health care trade journals.
The study discovered there were 374 reported ransomware attacks on healthcare institutions from 2016 to 2021, with those attacks involved with the personal or protected health information (PHI) of about 41,987,751 persons. Attacks increased about two times from 43 (2016) to 93 (2021). Impacted records increased 11-fold, from about 1.3 million records in 2016 to approximately 16.5 million records in 2021. It must be said that there were no records available on the magnitude to which PHI exposure took place in above one-fifth of attacks (22.5%).
Out of the 374 confirmed ransomware attacks, just 20.6% of healthcare providers mentioned they had recovered data from backup files. In 15.8% of attacks, at least a number of the stolen information were leaked to the public online or on dark net data leak sites. It ought to be mentioned that the double-extortion ransomware craze where data files are stolen before encryption merely commenced in 2020.
Though ransomware attacks are usually carried out on hospitals and large health systems, clinics encountered the most incidents of ransomware attacks, and then hospitals, other delivery organization types, ambulatory surgical units, dental practices, mental/behavioral health providers, and post-acute care providers.
The consequence of these ransomware attacks on patients is generally tough to ascertain. The researchers cannot know the scope to which ransomware disruptions affected patients seeking care while in an attack nevertheless found information that care delivery operations were disturbed in 44.4% of attacks. The disruption went on for at least 2 weeks in 8.6% of attacks, most frequently because of IT system downtime, postponed visits, and ambulance diversion. This disruption to care impacts patient safety and outcomes.
The researchers agreed that ransomware attacks on healthcare institutions have grown in both class and rate of occurrence, with attacks currently more likely to have an effect on a number of facilities, avert access to patient information, disturb healthcare delivery, and expose patient records. The researchers have requested policymakers to focus their efforts on the distinct needs of healthcare providers as a result of the impact on patient care quality and safety.