Researchers affiliated with the University of Florida and the University of Minnesota have published an academic study on ransomware attacks on healthcare organizations. The findings show the changing characteristics of these attacks over five years including the months when the pandemic was at its worst in the U.S. This reveals some interesting trends and exposed gaps in our understanding of the total problem. It isn’t an exciting read for the general public but may be of interest to cybersecurity and business professionals.
The report is titled Trends in Ransomware Attacks on US Hospitals, Clinics, and Other Health Care Delivery Organizations, 2016-2021. It was published on the JAMA forums on December 29, 2022.
Research challenges
Early in the study investigators realized there was no systematic documentation of the extent and effect of ransomware attacks on health care delivery organizations. News coverage and mandatory data breach disclosures could not provide the comprehensive set of information required by the study. In order to answer the research question, this comprehensive set of data would have to be built.
Researchers met this challenge by creating a database of information from both proprietary and publicly available sources, including the dark web. This resource was named Tracking Healthcare Ransomware Events and Traits (THREAT) and all data used for the study were included in this database.
Researchers also defined ‘health care delivery organizations’ broadly and included organizations like diagnostic laboratories and post-acute care facilities. A ‘ransomware attack’ was any attack that was identified as ransomware or included ransomware-related language in press releases or breach notifications.
The THREAT database ultimately included 374 ransomware attacks on health care delivery organizations between 2016-2021. These attacks exposed nearly 42 million individual protected health information (PHI) records.
Findings and discussion points
Over the five years examined in the study, the number of annual ransomware attacks from 43 to 91, and the annual number of individuals affected by PHI exposures increased from 1.3 million in 2016 to more than 16.5 million in 2021.
15.8% of the data exposed in these attacks were found available for sale on the dark web. The research does not conclude that this is the only data that was available for sale. Data could have been sold elsewhere, or it could have been on the dark web but not found by the researchers.
Clinics and hospitals were the most likely to experience a ransomware attack, and this remained true for all five years:
|
Ransomware attacks, No. (%) |
||
|
|
2016 |
2021 |
|
Clinic |
26 (60.5) |
51 (56.0) |
|
Hospital |
13 (30.2) |
23 (25.3) |
|
Ambulatory surgical center |
8 (18.6) |
15 (16.5) |
|
Mental/behavioral health |
3 (7.0) |
18 (19.8) |
|
Dental |
2 (4.7) |
12 (13.2) |
|
Post acute care |
1 (2.3) |
4 (4.4) |
|
Other |
8 (18.6) |
22 (24.2) |
(Source: Table 2, p.6)
The annual number of attacks that affected multiple facilities increased from 41.9% to 76.9%. Researchers speculate this could be due to the increasing sophistication of ransomware attacks. Consolidation of organizations could also be a contributor.
77.5% of all attacks in the THREAT database are reported as PHI breaches in Office of Civil Rights (OCR) data breach reports, which suggests that 22.5% of attacks did not result in a breach of PHI. This could mean that there was no data exposed in those attacks, or that the data that was stolen did not fit the PHI or OCR-reportable HIPAA data breach classifications. Researchers also note that there could be confusion around the reporting requirements when it comes to ransomware attacks.
54.3% of the PHI breaches reported to HHS were submitted after the mandated reporting deadline had passed (Figure 3b, p.6). Delays in reporting jumped during the height of the pandemic (U.S.) when healthcare organizations were most stressed due to COVID-19 and the related increase in cyberattacks. The timing of breach notifications to affected individuals was not included in this study. It should also be noted that there is no fine for late reporting.
(Figure 3b, p.6)
44% of attacks resulted in care delivery disruptions such as system downtime (41.7%), delays or cancellations of scheduled care (10.3%), and ambulance diversion (4.3%). It makes sense to see system downtime ahead of the pack here since the system itself is attacked and compromised. Health care organizations have been adopting digital systems at a rapid pace over the last several years, and when system downtime occurs, the staff resorts to paper charts and backup procedures. This can contribute to the other findings around scheduled care and ambulance diversions.
8.6% of care delivery disruptions lasted longer than two weeks.
|
Operational disruptions |
|
|
|
|
Number of attacks (of 374) |
Share of attacks, % |
|
Disrupted care delivery |
166 |
44.4 |
|
Disruption duration, mean |
15.8 days |
NA |
|
Known disruption with unknown duration |
67 |
17.9 |
|
<1 week> |
39 |
17.9 |
|
1-2 weeks |
28 |
7.5 |
|
2-4 weeks |
16 |
4.3 |
|
>4 weeks |
16 |
4.3 |
(Source: Table 1, p.5)
The ability to restore encrypted or stolen data from backups decreased over time, from 34.9% successful recoveries in 2016 to 14.4% in 2021. Of the 374 attacks in the THREAT database, only 77 (20.6%) of victims were able to rely on their own data backup systems to recover. These organizations did not need a decryption key to recover encrypted data.
The reduction in successful recoveries may result from a few things. This is not discussed in detail in the report, but we can come up with some ideas:
- Ransomware is getting more sophisticated. Attacks targeting backup systems can render them useless for recovery. Backup systems need to be specifically designed to withstand ransomware attacks, or they are just as vulnerable as any other system.
- Digital transformation has created new information in new storage locations. This creates data sprawl, and administrators do not know all locations of critical data. The research did show that although the number of attacks doubled over the five years, the PHI exposure increased by a factor of 11. There was also a 35% increase in attacks affecting multiple facilities. It’s possible the data backups just weren’t kept up with the digital transformation taking place in these organizations.
- The pandemic caused a sudden spike in healthcare records. The demand for care was so great that care facilities were restructured (or created) to handle the overflow from hospitals and clinics. It’s possible that understaffed IT teams were delivering on the most urgent needs and did not address the backup systems soon enough.
Conclusions
The researchers emphasize that ransomware attacks in healthcare are underreported and there are too many unknown factors around the types of disruptions and the reasons behind the lack (22.5%) or delay (53.5%) of OCR reporting. Details around operational disruptions should be included in tracking, and records like Medicare claims data might be useful in these efforts. Building a comprehensive reporting and tracking system will assist lawmakers who want to strengthen data collection around all cyberattacks to create informed policy responses.
There were many limitations to this research, including a lack of information on the types of malware used, the attempted but unsuccessful attacks, or the effects of the market structure of the organizations. The most crucial unknown is how ransomware disruptions affect patients seeking care during a ransomware attack.
There is much more to learn from this research than we can cover here. The 11-page report is available in the JAMA (Journal of the American Medical Association) health forums.
