In 2021, 108 individual ransomware attacks affected 2,302 medical organizations, which impacted 19.76 million patient records. We estimate that these attacks cost medical entities almost $7.8 billion in downtime alone.
Since 2016, ransomware attacks have been a well-known threat to medical organizations. We saw a massive influx of attacks from the pandemic onwards. While ransomware attacks, in general, are destructive, the impacts on healthcare facilities are arguably some of the most catastrophic. They cripple key systems and prevent hospitals from accessing crucial patient data until a fee is paid to the hacker (or the ransomware is removed by IT specialists). Add a global pandemic into the mix and you’ve got an even bigger problem that leads to severe delays and costs to healthcare organizations, patients going untreated, and canceled appointments.
For example, Scripps Health, a California-based non-profit operator with 5 hospitals and 19 outpatient clinics, suffered a ransomware attack in May 2021. The overall cost of the attack exceeded $112 million. Four hospitals had to re-route stroke and heart attack patients, and two hospitals also lost access to their electronic medical record system and offsite servers.
So, what is the true cost of these ransomware attacks across the healthcare sector in the US, how has the ransomware threat changed over the last few years, and what has happened so far in 2022?
To find out, our team of researchers gathered information on all of the ransomware attacks affecting medical organizations since 2016. However, many entities are reluctant to disclose ransomware attacks, especially when ransom amounts have been paid. It is often only when the hospital/clinic has to acknowledge the breach due to disrupted systems or lost patient data that information about the attack is released to the public. If the latter is the case, these reports will have been included in our study.
Our team sifted through several different healthcare resources— specialist IT news, data breach reports, and state reporting tools—to collate as much data as possible on ransomware attacks on US healthcare providers. We then used all of the available data on downtime and ransom amounts to estimate a range for the likely cost of ransomware attacks on medical organizations. Due to the limitations of uncovering these types of breaches, we believe the figures only scratch the surface of the problem.
Author: Paul Bischoff, Tech Writer, Privacy Advocate and VPN Expert