The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Healthcare Ransomware Attacks Threaten Up to 30% of Operating Income

Posted By on Apr 21, 2023

Ransomware attacks increased by 91% in March 2023, according to a new analysis by NCC Group. There were 459 confirmed attacks in March which is a 62% increase from March last year. The massive increase was due to the zero-day vulnerability (CVE-2023-0669) in Fortra’s GoAnywhere MFT file management solution, which was exploited by the Clop ransomware group in 130 attacks on companies over a 10-day period.

The Clop ransomware group explained that ransomware could have been deployed in those attacks; however, the decision was made to go extortion only. Even discounting those attacks since ransomware was not actually used, attacks are still occurring at a higher rate than in 2022. According to NCC Group, hacking and data leak incidents are also occurring at a much higher rate – more frequently than at any time in the past 3 years.

ThreatConnect Quantifies the Cost of a Healthcare Ransomware Attack

Ransomware attacks can be costly to resolve, especially for small organizations, but the true cost of the attacks is difficult to determine. IBM Security calculated the average cost of a data breach to be $4.82 million in 2021 – $9.23 million for a healthcare data breach – but the cost of recovering from a ransomware attack is less clear, as is the likely cost of any specific organization. ThreatConnect recently attempted to quantify the cost of a ransomware attack to make the likely costs clearer. As ThreatConnect explained, an average cost naturally includes incidents where the recovery costs were relatively low as well as attacks where the costs were atypically high. The average cost is a useful figure but says nothing about how much a data breach is likely to cost a specific business.

ThreatConnect’s analysis took several factors into account, such as the size of the organization and the operating environment, and estimated the median cost to operating incomes from ransomware attacks. ThreatConnect’s analysis was broken down by the size of an organization based on operating income. Operating income is gross income minus the revenue from goods or services sold, minus operating expenses. The operating incomes used for the analysis were small ($500 million), medium ($1.5 billion), and large ($15 billion). The median cost of a ransomware attack was then estimated based on past losses in each cohort, which was further broken down into different industry sectors.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Ransomware Attacks Threaten as Much as 30% of Operating Income

In addition to the cost of a ransom – if it is paid – healthcare organizations have substantial remediation costs, and the disruption caused by the attack can result in substantial revenue loss while the attack is remediated due to operational disruption, and continued costs from reputational damage. The startling revelation from the analysis was the percentage of operating income that was at risk from ransomware attacks. For a small healthcare organization, the median loss from a ransomware attack was $15.2 million, which is more than 30% of operating income. The impact on medium-sized healthcare organizations was far less, with an estimated median cost of $26.8 million or 15.36% of their operating income, and lowest for large healthcare organizations, which had a median cost of $101.2 million, but that represents just 4.92% of operating income.

The biggest percentage of the cost comes from the loss of revenue rather than remediation, which for a small healthcare organization would be $8.92 million in lost revenue and $5.45 million in remediation costs. For medium-sized healthcare organizations, the revenue loss was $16.06 million with remediation losses of 7.77 million, and for large organizations, $72.84 million in lost revenue and $23.83 million in remediation costs.

“With the National Cyber Strategy coming out of the White House focusing on decreasing cyber risk from critical infrastructure and the new SEC Cyber Proposals, organizations across industries are now being tasked with reporting on cyber risk,” said Jerry Caponera, GM of Risk Quantification, ThreatConnect. “Organizations are finally waking up to the fact that the impact of ransomware and other cyber attacks is more than just a moment in time. The financial implications are far-reaching and create barriers for companies to continue operations after these attacks.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist