Over 1,500 US healthcare organizations have spent more than $157 million in recovery costs (including downtime) due to ransomware attacks since they became prevalent in 2016, says report by Comparitech researchers. The company, which helps consumers compare tech services, has recently released the results of its investigation of US healthcare organization data, including breach reports, IT news channels and the Department of Health and Human Services breach portal. And the results speak for themselves.
Comparitech’s researchers found that 172 ransomware attacks on US healthcare organizations took place between 2016 and 2019. These affected 1,446 clinics, hospitals and other healthcare organizations, as well as over 6.6 million patient records. According to the study, 74% of the affected organizations were hospitals with the remaining organizations composed of IT providers (5%), elderly care providers (7%), dental providers (5%) or optometry practices (6%), plastic surgeons (2%), medical testing (2%), health insurance (1%), government health (1%) and medical suppliers (1%).
The attacks interfere with organizational systems, stopping healthcare organizations from accessing patient information until a payment is made. This results in financial losses, delays, untreated patients and cancelled appointments. On average, the ransom amounts varied widely from $1,600 to a staggering $14 million, with the total amount demanded since 2016 reaching 16.48 million (hackers have received more than $640,000 of this amount in this time period). Since not all healthcare providers declared the ransom amounts, these numbers are a mere estimation. Meanwhile, the organizational downtown caused by the cyberattacks varied from hours to even months.
The losses incurred by different states also varied. States such as Arkansas and Alaska with only one incident of cyber ransom lost between $918,000 and $1.4 million. Meanwhile, states such as California that experienced 25 ransomware attacks suffered a downtime cost of between $22.95 million and $35 million. Texas has had the second highest number of cyberattacks on healthcare organizations with 14 institutions affected since 2016 and a downtime cost of between $12.85 million and $19.6 million.
According to Comparitech, ransom attacks in the healthcare sector reached their highest number during the last quarter of 2019, with researchers adamant that the trend is likely to continue into 2020. “These waves of attacks may relate to different types of ransomware being developed. However, with many organizations failing to disclose the type of ransomware used in the attack, it is difficult to know if this is the case,” Comparitech researchers have stated. “In the US, cybersecurity is often decided by each individual organization or the corporation behind them. Sophisticated cyberattacks will continue to pose a threat to hospitals’ revenues and operations, putting the safety of patients at risk. The latter will, in turn, put even more pressure on hospitals due to the potential lawsuits that may follow.”
The scale of the problem outlined by Comparitech may only be the tip of the iceberg. Given the little information that is released about ransomware attacks, the estimated figures may not reflect the real magnitude of the problem. For example, the Department of Health and Human Services reporting tool used by Comparitech only contains breaches that impacted 500 patients, limiting the scope of the research. “The public might only find out if the healthcare organization undergoes severe disruption and makes news,” Comparitech researchers said. “If the latter is the case, these reports will have been included in our study.”
What Happens to the Stolen Data
So what happens to patients’ data if the hacking group that steals it is not paid the ransom demand? Here is an example. “According to recent reports, the hacking group behind Maze ransomware has been posting patient data, as well as other sensitive information, online after the victim organizations fail to pay them,” says technology expert from Thegoodestate Sheila Dickey. “According to the Maze hacker’s website, one of the targeted healthcare organizations is New Jersey’s Medical Diagnostics Laboratories (MD Lab). The website claims that they managed to encrypt 100 GB of data from 231 workstations, and published 9.5 GB of this data online when MD Lab refused to pay them 100 BTC, or $832,880.”
“Organizations that have data stolen have no good options available to them. Threat actors will promise to destroy data if ransoms are paid – but why would a criminal enterprise destroy data that it may be able to further monetize? The answer is that they probably will not,” said Brett Callow, a threat analyst from Emsisoft, an anti-malware solutions company. “There has been a definite uptick in ransomware attacks on healthcare providers over the last 12 months, but it’s impossible to estimate the frequency with which those attacks succeed. That’s primarily because breaches only come to light if organizations, or sometimes threatened actors, disclose them, and we know that does not always happen.”