Ransomware attacks on healthcare facilities, from hospitals to dental offices, have substantially increased in number and severity in recent years, according to a cohort study.
HHS data spanning 2016-2021 showed the annual number of ransomware attacks doubled (43 in 2016 to 91 in 2021) and the number of patients effected increased by more than 11-fold (from approximately 1.3 million in 2016 to more than 16.5 million in 2021), according to Hannah T. Neprash, PhD, of School of Public Health at the University of Minnesota in Minneapolis, and co-authors.
Moreover, these ransomware attacks also increasingly targeted large healthcare organizations with multiple facilities (mean annual marginal effect [ME] 0.08; 95% CI 0.05-0.10, P<0.001), and exposed the personal health information of more patients (ME 66,386; 95% CI 3,401-129,371, P=0.04), they reported in JAMA Health Forum.
The attacks grew more severe, with data less likely to be restored from backups (ME −0.04; 95% CI −0.06 to −0.01, P=0.002), and they were increasingly associated with delays or cancellations of scheduled care (ME 0.02; 95% CI 0-0.05, P=0.02).
Meanwhile, ransomware victims became more likely to miss reporting the attacks within HHS’s required 60-day timeline (ME 0.06; 95% CI, 0.03-0.08, P<0.001).
The findings show these kinds of cyberattacks reflect an ongoing trend affecting healthcare organizations, which might not be clear to many providers because of the lack of data, Neprash emphasized.
“When we started this research, there was a lot of kind of anecdote about the rise of ransomware attacks on hospitals and doctors offices and everything in between, but there really wasn’t much rigorous evidence,” Neprash told MedPage Today. “So we set out to fill that vacuum.”
“This problem is clearly getting worse,” she added. “There’s some evidence that the sophistication of the ransomware attacks is increasing in a way that’s concerning.”
The data provides context to the glut of recent breaking news stories about these attacks over the past few years, such as the 2021 attack on Southern California’s Scripps health system. More recent reports have indicated that specific types of attacks, such as Ryuk ransomware, have had an outsized impact on the healthcare industry.
Calls to emphasize cybersecurity awareness and preparedness to deal with ransomware attacks have grown, especially in light of the ongoing fallout that has affected healthcare systems after these attacks. In one prominent example, the Scripps attack led to class action lawsuits against the system.
Despite the attention these individuals attacks garnered, Neprash said the lack of data on the trends, impact, and severity of these attacks could be hindering the healthcare industry’s ability to sufficiently address this issue.
“There’s a lack of awareness, and a lot of that is driven by the lack of data on this topic,” she said. “There’s been so much secrecy. I don’t think anyone wants to advertise the fact that their hospital system fell victim to a ransomware attack, but given how common it’s become, I think it is beyond time to start talking about this and start doing something to prevent this.”
Neprash and colleagues documented 374 ransomware attacks during the study period from 2016 to 2021. In total, these attacks affected personal health records of about 42 million patients. Some 42% of the attacks shut down the facilities’ electronic systems, 10.2% led to canceled appointments, and 4.3% resulted in ambulance diversions.
Every major category of healthcare service facilities saw a rise in ransomware attacks during the study period:
- Clinic (26 incidents in 2016 vs 51 in 2021)
- Hospital (13 vs 23)
- Ambulatory surgical center (8 vs 15)
- Mental/behavioral health (3 vs 18)
- Dental (2 vs 12)
- Post acute care (1 vs 4)
- Other (8 vs 22)
Neprash noted that, while these trends are worrisome, the data could also be a signal that changes are needed to improve digital security throughout the healthcare industry.
“Healthcare is a sector that’s always been a little bit behind the curve on IT adoption,” Neprash said. “It took a lot of work to get most health care providers to adopt EHRs, and now that they have, I think there’s a lot of opportunity to improve cybersecurity and adopt evidence-based best practices.”
Authors declared they had no relevant financial interests.
JAMA Health Forum
Source Reference: Neprash HT, et al “Trends in ransomware attacks on us hospitals, clinics, and other health care delivery organizations, 2016-2021” JAMA Health Forum 2022; DOI: 10.1001/jamahealthforum.2022.4873.