Ransomware attacks continue to plague the healthcare industry, and a new report sheds light on the many different ways the impact has been felt, sector-wide.
The report from cybersecurity company Comparitech noted that since 2016, ransomware attacks have become a huge cause for concern for hospitals all over the world. As a result, patient care organizations have had to deal with severe delays and costs to healthcare organizations, patients left untreated, and appointments canceled.
The research team at Comparitech analyzed data from ransomware attacks affecting healthcare organizations since 2016, including both the large breaches, impacting more than 500 people, published by the U.S. Department of Health Services (HHS), as well as the attacks impacting fewer people, but that still became public by making the news. The researchers then applied data from studies on the cost of downtime to estimate a range for the likely cost of ransomware attacks to healthcare organizations.
Some of the team’s key findings include:
- 172 individual ransomware attacks on healthcare organizations
- 1,446 hospitals, clinics, and organizations affected
- 74 percent of organizations affected were hospitals or clinics, the remaining were IT providers (5 percent), elderly care providers (7 percent), dental (5 percent) or optometry practices (6 percent), plastic surgeons (2 percent), medical testing (2 percent), health insurance (1 percent), government health (1 percent), and medical supplies (1 percent)
- 6,649,713 patients affected
- Ransomware amounts vary from $1,600 to $14,000,000
- Downtime caused varies from hours to weeks and even months
- Hackers have demanded ransoms totaling more than $16.48 million since 2016
- Hackers have received at least $640,000 since 2016
- The overall cost of these attacks is estimated at $157 million
What’s more, the state with by far the most number of attacks over this time period is California, with 25 recorded cyberattacks, according to the research. The state with the next highest amount of ransomware attacks is Texas, with 14. It should be noted that with such a large concentration of healthcare providers within these states, perhaps this isn’t too much of a surprise.
Nonetheless, for California organizations, the estimated cost of downtime from these attacks, in sum, ranges from $23 million on the low end to $35 million on the high end.
Michigan, meanwhile, had just five ransomware attacks since 2016, but nearly 1.1 million patient records were affected from those attacks, making it the worst state for the number of patient records at risk. As the researchers pointed out, this is largely due to two attacks—to Airway Oxygen, Inc., a medical supply company, and Wolverine Solutions Group, a medical billing company, based in the state. This means some of the affected patients live in different states.
Looking at year-over-year, in 2016, there were 36 ransomware attacks on U.S. healthcare organizations, followed by 53 in 2017. In 2018, the figure dipped again to 31, making this the lowest year for attacks overall. Last year, the figures rose again to 50.
The researchers concluded, “Even though most ransomware attacks to date have targeted patient data and hospital systems, there is potential for far worse. As technology continues to develop, cybersecurity efforts need to keep pace. Without the right safety measures in place, hospitals may soon be facing ransomware attacks on life-saving equipment and technology as well as crucial patient data and systems.”