Ransomware attacks continue to be conducted on healthcare organizations in high numbers but determining the extent to which healthcare organizations are being targeted by ransomware gangs is a challenge. Victims of ransomware attacks do not always report the incidents as involving ransomware, and ransomware gangs do not publicly disclose attacks when ransoms are paid.
The nature of the attacks conducted by ransomware gangs is also changing, with some ransomware gangs opting to conduct extortion-only attacks, where sensitive data is exfiltrated from networks and a ransom demand is issued to prevent its publication or sale, but malware is not used to encrypt files. The decision whether or not to encrypt appears to be taken on an attack-by-attack basis.
The cybersecurity firm Emsisoft tracks ransomware attacks and produces annual reports that provide insights into the extent to which ransomware is used in cyberattacks, but Emsisoft admits that it is difficult to produce reliable statistics. This year’s report shows more than 200 large organizations in the United States have been attacked in the government, education, and healthcare verticals. Attacks in the education sector have remained fairly consistent over the past 4 years with between 84 and 89 attacks conducted each year, as has the number of attacks on state and local governments – 105 in 2022 with an average of 102 attacks a year.
Compiling meaningful data on attacks on healthcare organizations has been particularly challenging as while there are reporting requirements under HIPAA, it is not necessary to disclose the exact nature of the attacks or release details. For this reason, and due to the volume of reports, for the 2022 report, Emsisoft did not compile data for healthcare organizations and instead focused on hospitals and multi-hospital health systems.
For the report, Emsisoft’s researchers compiled data from public breach notices, reports, dark web data leak sites, and from third-party intelligence, with its data confirming that at least 105 counties, 45 school districts, 44 universities, and 25 healthcare providers suffered ransomware attacks in 2022. The true figure is likely to be significantly higher due to the lack of detailed reporting.
Across all ransomware attacks and verticals, hackers stole data prior to using encryption in around half of the attacks, but data theft was much more common in ransomware attacks on hospitals. Out of the 24 confirmed attacks on hospitals, data theft occurred in 17 of those attacks (68%). Due to the lack of accurate data released by healthcare organizations and their business associates, it is not possible to definitively determine whether ransomware attacks have plateaued, are increasing, or declining. What is clear is that the healthcare sector continues to be targeted and a great many patients have been affected by the attacks.
Several of the attacks were conducted on multi-hospital health systems, with 290 hospitals across the country potentially affected by the attacks. That includes the 150 hospitals operated by CommonSpirit Health, which recently confirmed that the protected health information of 623,774 patients was compromised in the attack. CommonSpirit Health has recently confirmed that only a small number of the hospitals it operates were affected.
These attacks often result in the theft of patient data, which can negatively affect patients and put them at risk of identity theft and fraud, but the most serious consequences are to patient health. Studies have been conducted that indicate an increase in mortality following a ransomware attack and a negative impact on patient outcomes due to delays in receiving test results, postponed appointments, and canceled surgeries. While no deaths have been attributed to ransomware attacks, patient outcomes are affected by the delays in receiving treatment. Emsisoft draws attention to one attack that resulted in a computer system used for calculating medication doses being taken offline, which caused a 3-year-old patient to be given a massive overdose of pain medication.
The post 290 Hospitals Potentially Affected by Ransomware Attacks in 2022 appeared first on HIPAA Journal.