Researchers crawled search engines and searched the dark web to find out the true extent of healthcare ransomware attacks

Ransomware attacks against healthcare organizations doubled in the last five years, with the most common victim being health clinics, according to a new JAMA Health Forum study.

Yet study authors think the numbers are undervaluing the threat.  

Researchers from the University of Minnesota and the University of Florida measured attacks on healthcare delivery organizations from 2016 to 2021, publishing their findings in the December issue of the JAMA Health Forum. During the study period, 374 attacks were identified as exposing the personal health information (PHI) of 41,987,751 individuals—more than 10% of the U.S. population.

The study results suggest ransomware attacks on healthcare delivery organizations are increasing in frequency and sophistication.

Co-author Hannah Neprash, Ph.D., told Fierce Healthcare that this study is just the beginning of accurately quantifying the threat.

“I strongly suspect underreporting for basically everything we find,” Neprash said. “So everything is a lower estimate on the true disruption that these attacks cost."

According to the study, annual attacks doubled from 43 to 91 while PHI exposure increased more than 11-fold, from approximately 1.3 million in 2016 to more than 16.5 million in 2021. In these attacks, about half of healthcare organizations were able to restore backups. While findings show that only 15.8% of these attacks seemed to result in PHI being sold on the dark web, Neprash thinks that number is only a fraction of the truth.

The study scraped the web for formal statistics like data breaches reported to the U.S. Department of Health and Human Services (HHS) and informal data points such as the sale of stolen patient information on the dark web.

For formal reports made to the HHS Office for Civil Rights (OCR) data breach portal, over half were reported after the legally mandated 60-day period. Tardy reporting appeared to “increase substantially” from 2020 to 2021.

Attacks show to be increasing, as do the breadth of the attacks, and yet effects on facilities seem to be stagnant. “My guess is that more reflects incomplete data,” Neprash said. “We're relying on news reports or public disclosures or notification letters. So I suspect that is actually someplace where underreporting is a big deal.”

The study took a unique approach to investigate the true number of cybersecurity attacks in healthcare by scouring the web for evidence of attacks.

A collective data source, dubbed Tracking Healthcare Ransomware Events and Traits or THREAT, was created to hold data points including local news reports, proprietary data from cybersecurity threat intelligence company HackNotice, HHS OCR and dark web forums where hackers either sell data or boast about their exploits.

Despite underreporting, news stories like the Dec. 18 attack on Canada’s largest children’s hospital are increasing awareness of the problem while still largely underreported. The LockBit ransomware group responsible for the attack against the Hospital for Sick Children posted a free decryption code on Christmas Eve with a formal apology for the attack.

“The partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate program,” the group said in the notice. Although it is unclear what “rule” the post was referring to considering the same group has taken proud responsibility for recent attacks on other hospitals including Hospital Centre of Versailles in France.

Despite hospitals being the most well-known victims of healthcare-directed cyberattacks, the JAMA study found that clinics were the most common healthcare delivery organization to experience a ransomware attack, followed by hospitals, ambulatory surgical centers, mental/behavioral health organizations, dental practices and post-acute care organizations. More than half of all attacks affected multiple facilities.

Neprash said there appear to be two broad types of ransomware strategies: those aiming to steal and sell PHI and those aiming to cause maximum mayhem in the hopes of a ransom payout. Both methods, she said, are using software that is far outpacing hospital security, reflected in the focus on attacking hospital backups.  

“Healthcare was basically dragged kicking and screaming into the 21st century,” Neprash said. “It took a long time to get healthcare providers to adopt electronic health records and now here is this threat to them. The more comprehensively networked you are, the more vulnerable that network can be to a cyberattack. So it does feel kind of like an unintended consequence of finally convincing everybody to switch to digital records.”

Insurance companies and law enforcement agencies are the two entities that Neprash suspects have the clearest view of the crisis. The study highlighted the role that the FBI plays in the management of attacks from directing organizations to not pay ransom to, in one well-documented case, withholding an encryption key in the hopes of carrying out its own disruption operation.

Moving forward, Neprash emphasized that the federal government, lawmakers and healthcare organizations must carefully manage short-term goals, like patient safety and paying ransoms, and long-term ones, like inviting attack cycles and investing in cybersecurity. "If you pay the ransom, is the disruption to care delivery shorter? Do you pay the human life costs less? What's the trade-off there? And that's not something we can answer right now."

Neprash is currently working with colleagues to better quantify the effect ransomware attacks have on patients.

The JAMA study did not specifically seek to define these effects but did discover that 44% of attacks result in care delivery disruptions, 8.6% of which exceeded two weeks. In 41.7% of cases, care disruptions exceeded two weeks, 10.2% resulted in rescheduling care and 4.3% of attacks required ambulance diversion.