Ransomware attacks on health care organizations more than doubled from 2016 to 2021, compromising tens of millions of patients’ personal information and potentially jeopardizing their care.
In what is believed to be the first census of such attacks, investigators report in the journal JAMA Health Forum that 374 ransomware attacks were carried out against clinics, hospitals, dental offices, diagnostic laboratories, emergency medical services and other health care delivery organizations between 2016 and 2021. During that period, the annual number of attacks rose from 43 to 91. The attacks exposed the personal health information of nearly 42 million patients.
The study was conducted by researchers at the University of Minnesota and Beth A.Virnig, Ph.D., M.P.H., dean of the University of Florida College of Public Health and Health Professions, who joined UF last year from the University of Minnesota.
Unlike other data breaches that may be intended only to steal data, ransomware attacks introduce malware into organizations’ electronic systems that is designed to disrupt operations until payment demands are met.
“Like all health care organizations, the threat of ransomware attacks is one of our biggest security concerns,” said David R. Nelson, M.D., senior vice president for health affairs at UF and president of UF Health. “The finding that these attacks are becoming more frequent and more complex is particularly worrisome.”
The new study found that almost half of ransomware attacks during the study period affected health care delivery. These disruptions led to downtime of electronic systems, often forcing providers to rely on pen and paper charting, cancel scheduled procedures and divert ambulances away from hospitals’ emergency rooms. The American Hospital Association calls ransomware attacks on health organizations threat-to-life crimes because of the risks they pose to patient care.
The researchers also found that ransomware attacks on health care organizations became increasingly sophisticated. Over time, organizations were less likely to be able to restore data from backup systems. In addition, stolen patient data were more likely to become public, and attacks involving organizations with multiple facilities increased.
For the study, investigators created a data source called Tracking Healthcare Ransomware Events and Traits, or THREAT, that combines data from cybersecurity company HackNotice with data from the U.S. Department of Health and Human Services Office of Civil Rights Data Breach Portal. Supplemental information came from searches of public disclosures, local news reports and health care trade press coverage. Despite careful research, the authors say, the number of ransomware attacks in health care is likely underestimated due to underreporting.
“Information security practices such as two-factor identification and mandatory trainings may seem like an inconvenience for those of us who work in health systems, but those practices are a relatively small burden when we look at the very serious impact ransomware attacks can have on the ability to safely and effectively care for patients,” Virnig said.
Media contact: Jill Pease, email@example.com, 352-273-5816