An extensive study by university researchers documents the rapid growth in ransomware across the US healthcare delivery system from 2016 to 2021.
The annual number of ransomware attacks more than doubled in that period from 43 to 91, for a total of 374 incidents that exposed the personal health information (PHI) of nearly 42 million patients, according to the research paper published by the American Medical Association’s JAMA Health Network.
The researchers pulled data from the incidents reported to the U.S. federal HHS Office of Civil Rights (OCR) breach database, as required for HIPAA-covered organizations, and turned up 84 attacks that were not reported. They also discovered that 54% of the attacks were reported to OCR later than the mandated 60-day reporting period.
More details on ransomware’s toll on healthcare:
>>44% of the events disrupted patient care, 8.6% for more than two weeks. Hospitals were most likely to experience a disruption.
>>PHI records exposure increased more than 11-fold, from approximately 1.3 million in 2016 to more than 16.5 million in 2021.
>>During the five-year study period, the likelihood of healthcare organizations restoring ransomware-encrypted or stolen data from backups decreased while the likelihood increased for attackers to release stolen PHI.
>>Attackers shifted attention to larger organizations in this period—the probability of a ransomware attack hitting multiple facilities at once increased by 8% per year. Clinics were the most attacked type of facility, followed by hospitals, ambulatory surgical centers, and mental health centers.
RiskLens Data Science Picks Up the Rest of the Cyber Risk Story for Healthcare Delivery Organizations
While the immediate effect on patient safety is the most serious consequence of a ransomware attack, the financial effect on healthcare institutions from lost patient revenue to lawsuits to fines--also deserves careful study by risk managers. The RiskLens data science team tracks those statistics and trends for use as data inputs by our clients in cyber risk quantification on the RiskLens enterprise platform.
According to our research:
>>The healthcare sector is second only to the government sector for total financial loss exposure to a cyber event, at $40 million. The average annual probable loss per event comes to $5.5 million. The average probability of a cyber event loss in a year is 9%.
>>For all the attention to ransomware, it’s relatively less probable than most other forms attack in healthcare – a 3.1% probability of occurrence in year, compared to the most likely loss event, insider error at 24%. Total average probable loss exposure of $675,000 also places ransomware last on the list of cyber events for cost. Surprising though that may be, it’s consistent with our findings across industries that ransomware typically is at the bottom for cost compared to other risk categories.
Healthcare cyber defenders can get a quick look at their organizations’ probable risks in financial terms with the RiskLens My Cyber Risk Benchmark tool. Try it for free now.
RiskLens cyber risk professionals have an active practice helping healthcare organizations improve their defenses with quantitative cyber risk management on an enterprise level. Read a RiskLens industry case study: Healthcare Organization Sets a Strategy Against Ransomware.