Healthcare Ransomware Attacks More Than Doubled Over Past 5 Years

The number of healthcare ransomware attacks more than doubled from 2016 to 2021, from 43 in 2016 to 91 in 2021, according to a study published recently in JAMA Health Forum.

The cohort study relied on data from the Tracking Healthcare Ransomware Events and Traits (THREAT) database, which combines proprietary data from cybersecurity threat intelligence company HackNotice with data from the Office for Civil Rights (OCR) data breach portal.

Researchers also analyzed press releases by the victim organization, news reports, public disclosures, and healthcare trade press coverage to determine whether the breaches could be deemed ransomware attacks and what operational disruptions may have occurred.

In total, the researchers documented 374 ransomware attacks that occurred between 2016 and 2021, impacting nearly 42 million patients. Protected health information (PHI) exposure increased more than 11-fold over that time period, the study found, from 1.33 million in 2016 to more than 16.5 million in 2021.

“The study results suggest that ransomware attacks on health care delivery organizations are increasing in frequency and sophistication; disruptions to care during ransomware attacks may threaten patient safety and outcomes,” the study noted.

Notably, 54 percent of all analyzed ransomware attacks were reported to HHS outside of HIPAA’s required 60-day reporting window. Clinics were the most likely organization type to experience a ransomware attack, followed by hospitals, ambulatory surgical centers, and mental health organizations.

The researchers documented a variety of operational impacts from the attacks, ranging from EHR downtime to delays, cancellations, and ambulance diversions.

What’s more, “from 2016 to 2021, the likelihood of health care organizations restoring ransomware-encrypted or stolen data from backups decreased, and more attacks were associated with some or all of the stolen PHI becoming public,” the study stated.

The study noted that the statistics reported within the article “are likely underestimates due to underreporting.” For example, some ransomware attacks may not be present on OCR’s data breach portal because the portal only displays data breaches that impacted more than 500 individuals.

In addition, the study highlighted ongoing confusion about reporting requirements, which signifies an opportunity for legislators to streamline the process and strengthen data collection to inform policy response.

“As is, this study’s findings regarding operational disruptions required individual research into each attack,” the study continued. “Even with this constraint, we documented disruptions to care delivery during nearly half of all ransomware attacks, but the scope of the problem is likely larger.”

The researchers suggested that “further study is needed” to concretely link ransomware attacks to patient outcomes.

“As policy makers craft legislation aimed at countering the threat of ransomware attacks across multiple industries, we urge them to focus on the specific needs of health care delivery organizations, for which operational disruptions may carry substantial implications for the quality and safety of patient care,” the study concluded.