Topics

Ransomware attacks spike, costing healthcare organizations millions

The monetary figures at stake in each case varied wildly, ranging from $1,600 at the low end to $14 million at the high end.

Jeff Lagasse, Associate Editor

Since 2016 there have been 172 ransomware attacks on healthcare organizations -- enough to cost the health system more than $157 million, according to a Comparitech report.

The attacks affected upwards of 6.6 million patient records spread out across 1,446 hospitals and clinics, as well as other facilities. The monetary figures at stake in each case varied wldely, ranging from $1,600 at the low end to $14 million at the high end. Of that, hackers pocketed roughly $640,000, estimating conservatively.

California experienced the most breaches related to ransomware, which locks healthcare organizations out of patient records and financial systems. In total, the state has been targeted by 25 ransomware attacks since 2016. The attacks cost the state between $22.9 and $35 million just in downtime alone, the report said.

Texas had the second-highest total of ransomware attacks at 14. Michigan was only targeted five times, but more than 1 million records were affected, and some of those records belong to people who live out of state, since many of the attacks were focused on medical supply and billing companies.

Maine, Montana, New Mexico, North Dakota and Vermont were unaffected by breaches during the time period in question.

WHAT'S THE IMPACT

Hospitals and clinics comprised 74% of ransomware attacks. The rest were spread out between elderly care providers (7%); optometry practices (6%); dental practices (5%); IT providers (5%); plastic surgeons (2%); medical testing (2%); health insurance companies (1%); government healthcare programs (1%); and medical supplies (1%).

The number of attacks have fluctuated from year to year since Comparitech started compiling statistics in 2016. There were 36 attacks in 2016, but that rose to 53 in 2017. The figure dipped again to 31 in 2018, only to rise again in 2019 to 50.

The base numbers only provide the financial impact of the breaches themselves, not related factors that are affected, such as downtime; data from California is more robust than most. That's because only a few hospitals are allowed to discuss how much downtime a given attack has caused, and the consequent costs involved. Some are back up and running in hours, while for others the downtime can drag on for weeks.

The cost for some is significant, though, with two providers shuttering their doors entirely due to ransomware attacks. The cost of restoring their systems was too great.

Estimates, however, place the average downtime caused by a breach at 16.2 days. In 2016, it was estimated that downtime could cost an average of $918,000 per organization, taking into account metrics such as business disruption, lost revenue, end-user and IT productivity, detection, recovery, equipment and third parties.

If those costs remained the same over the past three years, that downtime adds up to about $157.9 million in financial impact. But downtime and its associated costs have risen over that time, so that estimate is likely conservative. A high-end estimate places that figure at $240.8 million.

THE LARGER TREND

Increasingly sophisticated cyberattacks will pose significant threats to hospitals' operations and revenues, as well as risks to patient safety that will expose more hospitals to malpractice accusations and lawsuits, found a September 2019 report by credit rating agency Moody's Investors Service.

Small hospitals that lack resources and modern technology will be the most vulnerable to attacks, the report found.

Twitter: @JELagasse

Email the writer: jeff.lagasse@himssmedia.com