Ransomware Attacks on U.S. Hospitals Have Doubled Since 2016
Ransomware attacks on America's health care systems have more than doubled in recent years, disrupting needed medical care and exposing the personal information of millions, a new study reports.
These attacks — in which computer systems are locked down by hackers until the victim agrees to pay a ransom — hit all levels of health care, from your doctor's or dentist's office up to the largest hospitals and surgical centers, according to the new findings.
The annual number of ransomware attacks against health care leapt to 91 reported cases in 2021 from 43 in 2016, the researchers found.
These attacks exposed the personal health information of nearly 42 million patients, caused ambulances to be diverted in critical situations, and forced delays or cancellations of scheduled care.
“It does seem like ransomware actors have recognized that health care is a sector that has a lot of money and they're willing to pay up to try to resume health care delivery, so it seems to be an area that they're targeting more and more,” said lead researcher Hannah Neprash, an assistant professor of health policy and management at the University of Minnesota School of Public Health.
For this study, Neprash and her colleagues created a database that tracks health care ransomware events. The database combines information from federal regulators and a private cybersecurity threat intelligence company.
“We found that along a number of dimensions, ransomware attacks are getting more severe,” Neprash said. “It's not a good news story. This is a scary thing for health care providers and patients.”
About 44% of the attacks disrupted care delivery, sometimes by more than a month, the findings showed.
These disruptions can be as minor as rescheduling a check-up or a new dental crown, or they can have much more dire consequences.
In 2019, a baby died during a ransomware attack at Springhill Medical Center in Mobile, Ala.
On the eighth day of the cyberattack, the baby was born with her umbilical cord wrapped around her neck, causing severe brain damage. She died nine months later.
Because the hospital's computer systems were down, nurses failed to notice a change in fetal heart rate that would have led doctors to order an immediate cesarean section, the baby's mother argued in a lawsuit.
That procedure could have saved the baby's life, the lawsuit claims, although the hospital denies any wrongdoing and had concluded it was safe to continue operating during the ransomware attack.
Attacks compromise care
About one out of four health care delivery organizations say that ransomware attacks are responsible for an increase in deaths, according to a September 2021 report conducted by the Ponemon Institute, an information technology research group.
These health care operations also said that delays in procedures and tests result in poor outcomes (70%), increase the number of patients transferred or diverted to other facilities (65%), and cause increases in complications (36%), according to the Ponemon report.
“You can imagine that if we're talking about a hospital and some of that care delivery is emergency care for patients who really need timely health care, a ransomware attack really interrupts a hospital's ability to deliver that timely care,” Neprash said.
Neprash's database revealed that clinics were targeted in 58% of attacks, followed by hospitals (22%), outpatient surgical centers (15%), mental health facilities (14%) and dental offices (12%).
Patients are now more likely to have their personal information stolen from a health care computer system than they were just a few years ago, the study authors noted.
“A simple way of measuring an attack is how many individuals had their personal health information exposed in an attack, and that number has just gone through the roof,” Neprash said. “The average attack exposed maybe 37,000 in-patient records in 2016. And by 2021, you're up to about 230,000 per attack.”
The hackers can then sell or release that information to other bad actors. “Potentially, that includes sensitive information about patients' diagnoses or the care they received or even financial information,” Neprash said.
The findings were published online recently in JAMA Health Forum.
Ransomware attacks are also more likely to affect large organizations with multiple facilities, and victims are less likely to be able to restore operations from data backups, the investigators found.
An October ransomware attack on CommonSpirit Health, the fourth-largest U.S. health system with over 140 hospitals, led to delays in surgeries, patient care and appointments from Seattle to Tennessee.
Unfortunately, Neprash's findings likely underrepresent the true scale of the threat, said Lee Kim, senior principal of cybersecurity and privacy with the Healthcare Information and Management Systems Society, in Chicago.
“Ransomware events are highly likely to be underreported,” Kim said. “Even the amount paid for ransom, for example, could be underreported as well. So, I definitely think that there's a larger problem than we think.”
Hackers also have grown more sophisticated, and a health care facility's system might be compromised for months before the actual ransomware attack occurs, Kim added.
New laws, crackdowns needed
“It frequently isn't a smash-and-grab. It's more like a multistage kind of event where a low-level type of malware gets the attackers into the system, where they maybe steal some credentials and observe and implant themselves for a fairly significant dwell time,” Kim said.
“And then when they have essentially obtained what they want to obtain, then they'll pull the trigger, so to speak,” Kim continued. “They'll deploy the ransomware, but it's usually only after a significant amount of dwell time.”
Health care has tended to lag other sectors of the American economy when it comes to information technology, and that extends to cybersecurity, Neprash and Kim said.
New laws and regulations might be needed to prod health care into better protecting its computer systems, Neprash said — including possible subsidies for smaller hospitals that might not be able to afford such investments.
Law enforcement can also step up efforts to crack down on malicious hackers, Kim said.
“It's a rough job,” Kim said. “There's been good work done in terms of taking down these ransomware gangs, but we definitely need to do more.”
Computer security can definitely be improved, but health care staff also need more training to prevent these attacks, Kim said.
For example, health care IT staffers can be trained to look for the telltale signs that someone has invaded the system and is rummaging around, preparing an attack, Kim said.
Further, anyone with computer access should be taught the basics of avoiding simple scams and phishing attacks that could help a hacker get into the system, Kim added.
“We should not lose sight of the hidden enemy within our organizations, which is the insider threat,” Kim said. “It could be a well-meaning employee that accidentally clicks on a phishing link workplace attachment, or more rarely could be a malicious insider that wishes to do harm.”
Hospitals and surgical centers can prepare for ransomware attacks by planning how to best continue patient care during a disruption in computer service, Kim continued.
“Health care organizations need to think about and drill on — that is practice — these back-up processes and systems, the old-school ways of getting out information and communicating with each other,” Kim said. “Unfortunately, that cyberevent will happen at one point or another and it will be chaos unless there is a plan.”
The Brookings Institute has more on health care cybersecurity.
SOURCES: Hannah Neprash, PhD, assistant professor, health policy and management, University of Minnesota School of Public Health, Minneapolis; Lee Kim, JD, senior principal, cybersecurity and privacy, Healthcare Information and Management Systems Society, Chicago; JAMA Health Forum, Dec. 29, 2022, online