Ransomware attacks on healthcare facilities, from hospitals to dental offices, have substantially increased in number and severity in recent years, according to a cohort study.
HHS data spanning 2016-2021 showed the annual number of ransomware attacks doubled (43 in 2016 to 91 in 2021) and the number of patients affected increased by more than 11-fold (from approximately 1.3 million in 2016 to more than 16.5 million in 2021), according to Hannah T. Neprash, PhD, of School of Public Health at the University of Minnesota in Minneapolis, and co-authors.
Moreover, these ransomware attacks also increasingly targeted large healthcare organizations with multiple facilities (mean annual marginal effect [ME] 0.08; 95% CI 0.05-0.10, P<0.001), and exposed the personal health information of more patients (ME 66,386; 95% CI 3,401-129,371, P=0.04), they reported in .
The attacks grew more severe, with data less likely to be restored from backups (ME −0.04; 95% CI −0.06 to −0.01, P=0.002), and they were increasingly associated with delays or cancellations of scheduled care (ME 0.02; 95% CI 0-0.05, P=0.02).
Meanwhile, ransomware victims became more likely to miss reporting the attacks within HHS's required 60-day timeline (ME 0.06; 95% CI, 0.03-0.08, P<0.001).
The findings show these kinds of cyberattacks reflect an ongoing trend affecting healthcare organizations, which might not be clear to many providers because of the lack of data, Neprash emphasized.
"When we started this research, there was a lot of kind of anecdote about the rise of ransomware attacks on hospitals and doctors offices and everything in between, but there really wasn't much rigorous evidence," Neprash told 51˶. "So we set out to fill that vacuum."
"This problem is clearly getting worse," she added. "There's some evidence that the sophistication of the ransomware attacks is increasing in a way that's concerning."
The data provides context to the glut of recent breaking news stories about these attacks over the past few years, such as the 2021 attack on Southern California's Scripps health system. More recent reports have indicated that specific types of attacks, such as Ryuk ransomware, have had an outsized impact on the healthcare industry.
Calls to emphasize cybersecurity awareness and preparedness to deal with ransomware attacks have grown, especially in light of the that has affected healthcare systems after these attacks. In one prominent example, the Scripps attack led to class action lawsuits against the system.
Despite the attention these individuals attacks garnered, Neprash said the lack of data on the trends, impact, and severity of these attacks could be hindering the healthcare industry's ability to sufficiently address this issue.
"There's a lack of awareness, and a lot of that is driven by the lack of data on this topic," she said. "There's been so much secrecy. I don't think anyone wants to advertise the fact that their hospital system fell victim to a ransomware attack, but given how common it's become, I think it is beyond time to start talking about this and start doing something to prevent this."
Christian Dameff, MD, medical director of cybersecurity at the University of California San Diego, agreed that the need for more evidence-based insights and interventions is a bottleneck in the process to sufficiently addressing these attacks.
"In healthcare cybersecurity, we are in the infantile stages of assessing this from a critical scientific lens," he told 51˶.
Dameff emphasized that ransomware attacks put healthcare organizations in very difficult positions, because they severely limit healthcare delivery, extort organizations of financial resources, and open them up to scrutiny and litigation. Dameff said these factors can limit the available of data on ransomware attacks because hospitals are reluctant to share all of the details of an attack.
However, Dameff said this study is a positive step toward quantifying the scope of the problem, and he believed the next step should be to study the true impact of these attacks on the healthcare industry.
"These are targeted attacks to healthcare, where they know who they're attacking, and how much money they can extort from them," Dameff said. "And as a consequence, when they do finally attack them, they do so in a way that's quite devastating and expansive."
Neprash and colleagues documented 374 ransomware attacks during the study period from 2016 to 2021. In total, these attacks affected personal health records of about 42 million patients. Some 42% of the attacks shut down the facilities' electronic systems, 10.2% led to canceled appointments, and 4.3% resulted in ambulance diversions.
Every major category of healthcare service facilities saw a rise in ransomware attacks during the study period:
- Clinic (26 incidents in 2016 vs 51 in 2021)
- Hospital (13 vs 23)
- Ambulatory surgical center (8 vs 15)
- Mental/behavioral health (3 vs 18)
- Dental (2 vs 12)
- Post acute care (1 vs 4)
- Other (8 vs 22)
Neprash noted that, while these trends are worrisome, the data could also be a signal that changes are needed to improve digital security throughout the healthcare industry.
"Healthcare is a sector that's always been a little bit behind the curve on IT adoption," Neprash said. "It took a lot of work to get most health care providers to adopt EHRs, and now that they have, I think there's a lot of opportunity to improve cybersecurity and adopt evidence-based best practices."
Disclosures
Authors declared they had no relevant financial interests.
Primary Source
JAMA Health Forum
Neprash HT, et al "Trends in ransomware attacks on us hospitals, clinics, and other health care delivery organizations, 2016-2021" JAMA Health Forum 2022; DOI: 10.1001/jamahealthforum.2022.4873.