Healthcare Ransomware Attacks Cost Nearly $21 Billion In 2020. Now What?

As the dust settles on 2020, it’s become clear that this was an unbelievably bad year for healthcare ransomware attacks. In fact, it was a year that cost organizations $20.8 billion in ransomware expenses, according to a new estimate. Worse, there is no future relief in sight.

Research by Comparitech recently concluded that there were 92 ransomware attacks on individual healthcare organizations last year.  This includes one large single attack on cloud provider Blackbaud. Roughly 100 US healthcare organizations have reported being affected by the Blackbaud attack alone, affecting more than 12.3 million patient records, the company found.

In total, ransomware affected over 600 separate hospitals, clinics and other healthcare organizations, according to Comparitech.  These attacks affected more than 18 million individual patients and/or records, which represents a 470 percent increase from 2019.

The amount demanded by ransomware attackers ranged from $300,000 to $1.14 million. The average ransomware demand in 2020 was $169,446, an aggregate $15.6 million in total. In terms of actual gains realized by the demands, the attackers received at least $2.1 million in payments, not counting an undisclosed amount paid by Blackbaud.

Not only that, lately cybercriminals have been engaged in a double ransom scheme in which they not only lock up databases and computers but also contact victims with proof that they collected the data. This certainly puts more pressure on the organizations targeted to settle with the thieves.

Downtime resulting from these attacks varied from minimal impact to the need to use paper-only approaches for weeks or months. In one case, an organization lost all of the patient records affected by the ransomware attack. Ouch doesn’t cover it.

With the rate of ransomware cases continuing to mount over the last few years, one has to ask when this is all going to end. Not only are the costs insupportable, and the blow to a provider’s reputation potentially permanent, the risk to human health cannot be forgotten. I haven’t heard of any patient deaths caused by lack of access to medical records, but that doesn’t mean they won’t happen. (In September of last year, it was widely reported that a German woman had become the first to die due to problems related to a ransomware attack, but that claim seems to have been debunked.)

At this point, we’re left with some important questions, none of which I think we have answers to as of yet. In particular, if healthcare organizations are virtually helpless when a ransomware attack hits their own network, and their cloud provider isn’t immune either, where do providers turn to solve this problem? Given how lucrative they can be, it’s unlikely the rate of these attacks is going to slow down on its own.

It seems clear that existing disaster recovery practices such as having secure backups in place don’t offer enough to fight against virulent ransomware strains, nor are standard anti-malware strategies sufficient to protect an organization. In other words, it looks like the war against ransomware will be a long and hard-fought one. Let’s just hope that we can keep human casualties resulting from these attacks at zero.

 

About the author

Anne Zieger

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

   

Categories