The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Study Identifies Healthcare Ransomware Attack Trends

Posted By on Jan 11, 2023

Healthcare ransomware attacks have at least doubled in the past 5 years, data recovery from backups has decreased, and it is now common for data to be stolen and publicly released following a successful attack, according to a new analysis recently published in the JAMA Health Forum.

Healthcare ransomware attacks can be difficult to accurately track, as ransomware is not always specified in breach reports and press releases, and ransomware gangs typically do not publicly disclose their attacks when ransoms are paid, which makes it difficult to determine the extent to which attacks are increasing or decreasing. With more detailed reporting of cyberattacks, legislators would have accurate data to inform their policy decisions.

The data for the analysis was collected from the Tracking Healthcare Ransomware Events and Traits (THREAT) database, which includes data collected from a variety of sources such as the HHS’ Office for Civil Rights breach portal, HackNotice, press releases from victims, media reports, and dark web monitoring. The researchers accept that due to the lack of accurate reporting, the number of attacks has likely been underestimated, with omissions most likely due to the reporting of ransomware attacks as malware incidents, with no mention of ransom demands. These attacks could naturally not be included in the data. Even so, the researchers believe their database is the most accurate record of healthcare ransomware attacks. “To be missing from the THREAT database, a ransomware attack would have needed to go unreported to HHS OCR, remain undetected by HackNotice web crawler surveillance and monitoring of dark web forums, and have received no press coverage in local news or health care trade publications,” explained the researchers.

The analysis revealed there were 374 documented ransomware attacks on healthcare organizations between 2016 and 2021, with those attacks involving the personal or protected health information of at least 41,987,751 individuals. Attacks more than doubled from 43 in 2016 to 93 in 2021, and there was an 11-fold increase in impacted records, from around 1.3 million records in 2016 to around 16.5 million records in 2021. It should be noted that there was no data available on the extent to which PHI exposure occurred in more than one-fifth of attacks (22.5%).

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Out of the 374 confirmed ransomware attacks, only 20.6% of healthcare organizations said they were able to restore data from backups, and in 15.8% of attacks, at least some of the stolen data were posted publicly on the clear web or on dark net data leak sites. It should be noted that the double-extortion ransomware trend where data are stolen prior to file encryption only started in 2020.

While ransomware attacks are often attempted on hospitals and large health systems, clinics suffered the most ransomware attacks, followed by hospitals, other delivery organization types, ambulatory surgical centers, mental/behavioral health organizations, dental practices, and post–acute care organizations. As HIPAA Journal has previously reported, the breach reporting requirements of the HIPAA Breach Notification Rule are frequently violated, with many breached organizations unable to issue notifications about ransomware attacks within the 60-day reporting deadline. The analysis revealed late reporting in 54.3% of attacks.

The impact of these attacks on patients is often difficult to determine. The researchers were unable to determine the extent to which ransomware disruptions affected patients seeking care during an attack but found evidence that care delivery operations were disrupted in 44.4% of attacks. The disruption continued for at least 2 weeks in 8.6% of attacks, most commonly due to IT system downtime, canceled appointments, and ambulance diversion. This disruption to care threatens patient safety and outcomes.

The researchers concluded that ransomware attacks on healthcare organizations have increased in both sophistication and frequency, with attacks now more likely to affect multiple facilities, prevent access to patient data, disrupt healthcare delivery, and expose patient data. The researchers have called for policymakers to focus their efforts on the specific needs of healthcare organizations due to the implications on the quality and safety of patient care.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist