Ransomware attacks on healthcare delivery organizations doubled between 2016 and 2021, from 43 reported attacks to 91. However, it’s likely these numbers and impacts are underestimated due to limited data caused by underreporting, according to a new study published in JAMA Health Forum.
One out of five ransomware attacks were not listed in the Department of Health and Human Services Office for Civil Rights database.
While these gaps may have been caused by a low amount of compromised protected health information, the researchers noted that it might also be due to “confusion about whether ransomware attacks must be reported through official channels when they involve encryption, but not actual removal, of data from computer systems.”
HHS previously attempted to clear up this confusion as far back as 2016, after ransomware actors began targeting the healthcare sector in force and found many entities weren’t notifying the regulatory body.
At that time, they stressed that it was providers who bore the onus for proving data wasn’t accessed by the attackers or they must report the incident to HHS. Given the difficulty in finding that evidence, HHS warned that ransomware incidents should be presumed a data breach.
But current reporting requirements “lack either an enforcement mechanism or a penalty for noncompliance,” the researchers wrote. “Even when an entity reports an attack, there is no sanction for doing so outside of the legislated 60-day window, which may explain the high proportion of ransomware attacks with delayed reporting.”
These reporting gaps are contributing to the lack of data on ransomware impacts on both care delivery and data exposure. The researchers suggest that instead, legislators should “shape an informed and well-targeted policy response” to strengthen data collection around cyberattacks.
Ransomware’s affect on healthcare delivery
Across all sectors in the last year, security researchers struggled to gauge whether ransomware attacks were on the rise or stagnating. What’s clear is that attackers are getting smarter and the cost to recover from these attacks is drastically increasing across all sectors — impacting cyber insurance coverage in the process.
In healthcare, the impacts of ransomware are readily seen in each hospital attack that have confirmed the patient safety risks posed by these long periods of network downtime. At least three global health systems are currently in downtime after ransomware incidents, which has led to care diversion, appointment cancellations and delays.
But as noted in JAMA, there’s simply not enough data to fully understand the minutiae of hospital setting impacts after ransomware. While the researchers noted the study’s limits, the data does shine a light on incident response and care disruptions.
The researchers studied a total of 374 ransomware incidents reported between 2016 and 2021, with documented evidence of care delivery disruptions for 166 of the 374 analyzed attacks.
While the data did not show a statistically significant increase in overall operational disruptions, at least 32 of the incidents were tied to disruptions that exceeded over two weeks, 41.7% of which included electronic system downtime. Delays or scheduled care cancellations were seen in 10.2% of the recorded incidents and 4.3% saw ambulance diversion processes.
There was also an increase in the share of attacks that involved ambulance diversions. While disruptions varied by the type of organization, hospitals were the most likely to experience a disruption during a ransomware attack.
Further, all ransomware incidents have an organizational effect on system safeguards and the response of leadership. The researchers were able to document “disruptions to care delivery during nearly half of all ransomware attacks, but the scope of the problem is likely larger.”
“The most frequent disruption was to electronic systems, which frequently forced a switch to paper charting,” according to the report. “These operational disruptions may harm patients, especially those experiencing emergencies and for whom timely treatment is crucial.”
Further analysis is needed to “quantify an empirical association between ransomware attacks and patient outcomes.”
The data suggests that ransomware attacks on healthcare “organizations have increased in sophistication as well as in frequency,” researchers wrote. The “findings represent the only census of ransomware attacks on healthcare delivery organizations.”
However, these estimates “of magnitude align with findings in the gray literature, and the trend over time is consistent with reports that ransomware actors increasingly targeted healthcare delivery organizations during the COVID-19 pandemic,” they added.
In terms of healthcare targeting, clinics of all specialties were the most common healthcare entity to face a ransomware attack, followed by hospitals, other delivery organization sites, ambulatory surgical centers, behavioral health organizations, dental offices, and post–acute care organizations.
About 53% of all ransomware attacks affected multiple facilities within the attacked organization. Prime examples of multi-site outages brought on by ransomware include Universal Health Services, Scripps Health, CommonSpirit Health, and University of Vermont Health Network.
The ransomware impact on patient data
The data of nearly 42 million patients was compromised by the 374 analyzed ransomware attacks, a more than 11-fold increase from 2016 to 2021.
These impacts held true through 2022, where each of the 15 largest healthcare data breaches affecting more than 1 million patients each, although not all were caused by ransomware.
The report confirmed the evolution of ransomware attacks during the study period. Each year, ransomware became more likely to expose the information of greater numbers of patients, regardless of organization type.
What’s more, providers were more likely to report the attacks and data impacts late to HHS. The number of attacks reported more than twice the mandated 60-day “increased substantially in 2020 and 2021.” HHS reminded providers of the timely reporting requirement late last year.
Of the 290 incidents reported to HHS, 54.3% were reported outside of the 60-day reporting window.
Although about 1 in 5 healthcare organizations were reportedly able to restore data from backups after a ransomware attack, “the likelihood of healthcare organizations restoring ransomware-encrypted or stolen data from backups decreased” from 2016 to 2021.
Additionally, the researchers found evidence that the ransomware actors made some or all of the stolen protected health information public in 59 of the attacks by posting it on dark web forums. As the years have progressed, it’s become increasingly likely for all or some stolen information to be publicly leaked.
While limited, the researchers were able to confirm the increase in frequency and sophistication of ransomware attacks against the healthcare sector from 2016 to 2021. Data confirms the frequent disruptions and exposure of PHI, but more research is needed to “more precisely understand the operational and clinical care consequences of these disruptions.”
As lawmakers seek to address the threat of ransomware across all sectors, the researchers urged “them to focus on the specific needs of healthcare delivery organizations, for which operational disruptions may carry substantial implications for the quality and safety of patient care.”
