An “Original Investigation” in JAMA Health Forum, entitled “Trends in Ransomware Attacks on US Hospitals, Clinics, and Other Health Care Delivery Organizations, 2016-2021,” published Dec. 29, found that ransomware attacks more than doubled in five years.
The authors say that “Although ransomware attacks have existed for years, the U.S. Federal Bureau of Investigation (FBI) and other government entities warn that widespread use of ransomware attacks against health care delivery organizations coincides with the COVID-19 pandemic. While some prominent ransomware attacks on health care delivery organizations have received considerable media attention, to our knowledge, there is presently no systematic documentation of the extent and effect of ransomware attacks. News coverage of individual attacks suggests that ransomware attacks are substantially disruptive to care delivery, with reports of computers and electronic health records being disabled or encrypted, clinicians forced to document care using pen and paper, appointments and surgeries delayed or canceled, emergency departments forced to divert ambulances, and practice infrastructure so damaged that some practices have opted to close rather than try to restore systems. Such instances of operational disruptions to the delivery of health care have been followed by some positing that ransomware attacks on health care delivery organizations may impose a human cost in addition to a financial one by jeopardizing patient safety and outcomes. In this study, we used a database of ransomware attacks on health care delivery organizations to quantify and describe this growing phenomenon.”
Further, “To conduct this study, we created a data source called the Tracking Healthcare Ransomware Events and Traits (THREAT) database and reported findings from the database. The THREAT database combines proprietary data provided by HackNotice (a cybersecurity threat intelligence company that helps businesses identify and respond to attacks) with data from the US Department of Health and Human Services Office of Civil Rights (HHS OCR) Data Breach Portal. The latter contains publicly available information that is collected when Health Insurance Portability and Accountability Act–covered entities report breaches of protected health information (PHI), as mandated by the Health Information Technology for Economic and Clinical Health Act of 2009. This study followed the Strengthening the Reporting of Observational Studies in Epidemiology (STROBE) reporting guidelines. This study was determined to be exempt from review and informed consent by the University of Minnesota institutional review board (common rule, category 5).”
Interesting results from the study include
- From 2016-2021, the authors documented 374 ransomware attacks on healthcare delivery organizations that exposed the PHI of 41,987,751 individuals
- From 2016 to 2021, the authors found that the annual number of ransomware attacks more than doubled, from 43 to 91
- PHI exposure increased more than 11-fold, from approximately 1.3 million in 2016 to more than 16.5 million in 2021
- Eighty-four ransomware attacks (22.5 percent) did not have information on PHI exposure—they did not appear in the HHS OCR database
- Out of 290 ransomware attacks reported to HHS, the majority (203) were reported outside of the legislated reporting window of 60 days following the attack
- The authors found that about one in five healthcare organizations were able to restore data from backups
- Fifty-nine ransomware attacks had bad actors make some or all of the stolen PHI public, generally by posting it on dark web forums where the data is advertised for sale
- Clinics of all specialties were the most common healthcare delivery organization target for ransomware attacks
“Additional legislative activity concerns the ransom itself, with proposals to mandate disclosure (of ransom demands, whether a payment was made, and for what amount) and potentially even banning the payment of ransoms,” the authors write. “The FBI strongly recommends that businesses not acquiesce to ransom demands in the event of a ransomware attacks, since complying with ransom demands incentivizes ransomware actors to continue targeting health care organizations. Going a step further, in 1 well-documented ransomware attack, law enforcement deliberately withheld the decryption key for nearly 3 weeks while planning an operation to disrupt the ransomware actors involved. To properly weigh law enforcement’s long-term deterrence goals against short-term patient safety goals, it is crucial to understand the association of ransomware attacks with patient safety and whether paying the ransom shortens the operational disruption. While it is intuitive to think that paying the ransom shortens the duration of any operational disruption, this is not necessarily the case; there are well-documented examples of follow-up ransom demands and nonfunctional decryption keys provided after ransom payments have been made. Additional ransom payment disclosure requirements would enable a better understanding of the potential tradeoff between financial cost and operational disruption duration.”
The authors conclude by stressing the importance of identifying actions that healthcare delivery organizations can take to protect against ransomware attacks. Healthcare organizations are especially vulnerable to phishing emails, according to research, that deceive employees into giving access to bad actors. These emails are a very common entry for ransomware attacks and existing cybersecurity recommendations require time and money that many vulnerable rural and safety net healthcare delivery organizations do not have. The authors say that current estimates of technology budgets have cybersecurity activities represented at less than 10 percent.
