Healthcare ransomware attacks have at least doubled in the past 5 years, data recovery from backups has decreased, and it is now common for data to be stolen and publicly released following a successful attack, according to a new analysis recently published in the JAMA Health Forum.
Healthcare ransomware attacks can be difficult to accurately track, as ransomware is not always specified in breach reports and press releases, and ransomware gangs typically do not publicly disclose their attacks when ransoms are paid, which makes it difficult to determine the extent to which attacks are increasing or decreasing. With more detailed reporting of cyberattacks, legislators would have accurate data to inform their policy decisions.
The data for the analysis was collected from the Tracking Healthcare Ransomware Events and Traits (THREAT) database, which includes data collected from a variety of sources such as the HHS’ Office for Civil Rights breach portal, HackNotice, press releases from victims, media reports, and dark web monitoring. The researchers accept that due to the lack of accurate reporting, the number of attacks has likely been underestimated, with omissions most likely due to the reporting of ransomware attacks as malware incidents, with no mention of ransom demands. These attacks could naturally not be included in the data. Even so, the researchers believe their database is the most accurate record of healthcare ransomware attacks. “To be missing from the THREAT database, a ransomware attack would have needed to go unreported to HHS OCR, remain undetected by HackNotice web crawler surveillance and monitoring of dark web forums, and have received no press coverage in local news or health care trade publications,” explained the researchers.
The analysis revealed there were 374 documented ransomware attacks on healthcare organizations between 2016 and 2021, with those attacks involving the personal or protected health information of at least 41,987,751 individuals. Attacks more than doubled from 43 in 2016 to 93 in 2021, and there was an 11-fold increase in impacted records, from around 1.3 million records in 2016 to around 16.5 million records in 2021. It should be noted that there was no data available on the extent to which PHI exposure occurred in more than one-fifth of attacks (22.5%).
Out of the 374 confirmed ransomware attacks, only 20.6% of healthcare organizations said they were able to restore data from backups, and in 15.8% of attacks, at least some of the stolen data were posted publicly on the clear web or on dark net data leak sites. It should be noted that the double-extortion ransomware trend where data are stolen prior to file encryption only started in 2020.
While ransomware attacks are often attempted on hospitals and large health systems, clinics suffered the most ransomware attacks, followed by hospitals, other delivery organization types, ambulatory surgical centers, mental/behavioral health organizations, dental practices, and post–acute care organizations. As HIPAA Journal has previously reported, the breach reporting requirements of the HIPAA Breach Notification Rule are frequently violated, with many breached organizations unable to issue notifications about ransomware attacks within the 60-day reporting deadline. The analysis revealed late reporting in 54.3% of attacks.
The impact of these attacks on patients is often difficult to determine. The researchers were unable to determine the extent to which ransomware disruptions affected patients seeking care during an attack but found evidence that care delivery operations were disrupted in 44.4% of attacks. The disruption continued for at least 2 weeks in 8.6% of attacks, most commonly due to IT system downtime, canceled appointments, and ambulance diversion. This disruption to care threatens patient safety and outcomes.
The researchers concluded that ransomware attacks on healthcare organizations have increased in both sophistication and frequency, with attacks now more likely to affect multiple facilities, prevent access to patient data, disrupt healthcare delivery, and expose patient data. The researchers have called for policymakers to focus their efforts on the specific needs of healthcare organizations due to the implications on the quality and safety of patient care.
The post Study Identifies Healthcare Ransomware Attack Trends appeared first on HIPAA Journal.