- Over the past four years, nearly 1,500 healthcare companies have been hit with ransomware attacks, according to a study released Tuesday by Comparitech, a company that rates IT privacy tools.
- The 172 individual attacks from 2016 to 2019 affected 6.6 million patients. The overwhelming majority of organizations affected were hospitals or clinics at 74%. Elderly care providers accounted for 7%, followed by dental (5%), medical testing (2%) and health insurance, government health and medical supplies, all at 1%.
- Researchers calculated the overall cost of the attacks at $157 million. Hackers have demanded $16.5 million and received at least $640,000. The amounts requested ranged from $1,600 to $14 million.
Ransomware attacks are of growing concern to a number of sectors, but can be especially difficult for healthcare organizations that require access to records to treat patients. In the newest study, researchers determined the downtime caused by an attack could last months.
Hospitals continue to have high vulnerability. A recent Moody's report noted cyberattacks against the hospitals sector "will continue to evolve" and warned smaller facilities are especially at risk given their lack of resources. Just a bit more than 5% of hospital IT budgets are earmarked for cybersecurity, Moody's said.
Hospital breaches usually involve sensitive information, and at least one study found they were associated with increased mortality. Hospitals can also be on the hook with failing to notify federal authorities when a breach has occurred. In December, Sentara Hospitals agreed to a $2.2 million settlement after accusations it did not notify the HHS Office for Civil Rights when patient health information was compromised through a mailing error.
The new study found that California and Texas were hit with the most attacks, not surprising given their large geographic sizes and populations. The state with the highest percentage of population affected by a healthcare ransomware attack was Michigan with 11%, largely stemming from two separate attacks — one on medical supply company Airway Oxygen, Inc and the other on medical billing company Wolverine Solutions Group. Next highest were Utah and Delaware at nearly 9% each.
One major cybersecurity threat that made headlines has been lingering. The WannaCry malware that crippled dozens of hospitals in the United Kingdom in the spring of 2017 was still affecting organizations two years later as many systems weren't being properly patched.
Indeed, 2017 was the year with the largest number of attacks over the time period studied at 53. There were 50 in 2019, 36 in 2016 and 33 in 2018.
Previous research has shown the attacks often target individual healthcare employees through malicious email, mostly with URLs that link to a trusted file-sharing service. Those attacks hit not only high-ranking employees but also those with access to particular systems or with visible email addresses.