U.S. Healthcare organizations have spent more than $157 million in damages and payments for ransomware attacks

Ransomware has cost US healthcare organizations over $157 million in last five years

February 18, 2020
by John R. Fischer, Senior Reporter
The ramifications of more than 170 ransomware attacks since 2016 have cost U.S. healthcare organizations an estimated combined total of more than $157 million.

That’s what researchers at online services firm Comparitech say in their new assessment, adding that a lack of transparency concerning when such attacks happen and the impact they have, has led the group to believe that their figures “only scratch the surface” of the true costs incurred.

“I'm not sure why they don't always specify the type of ransomware,” Paul Bischoff, editor of Comparitech, told HCB News. “It could be that they do not know or don't wish to reveal details that could help future attackers. If a hospital pays a ransom, revealing that fact could make it a bigger target for future attacks … in the long-term, a lack of information leads to less intelligence that researchers, policy makers, and cybersecurity experts could use to gauge the severity and scope of ransomware.”

A total of 172 individual ransomware attacks have hit U.S. healthcare organizations since 2016, affecting 1,446 hospitals, clinics, and organizations, and 6,649,713 patients. This, however, does not take into account many breaches that affect less than 500 people, as such incidents are rarely disclosed to the public.

Another variable often not disclosed is the financial compensation requested by hackers, with demands from $1,600 to $14 million. Hackers have made at least $640,000 since 2016 out of the $16.48 million demanded in total in 16 of 172 attacks. Like the number of attacks mentioned above, these figures only refer to cases that disclose such information, with Comparitech reporting that 21 organizations admitted that they had paid and only seven revealed how much they paid.

Relying on specialist IT news, data breach reports, and the Health Services reporting tool, the researchers determined as close as possible the number of ransomware attacks that hit U.S. healthcare providers and applied their findings from studies on the costs of downtime to estimate a likely cost range for ransomware attacks on healthcare organizations.

California incurred the highest, hit by 14.5 percent of attacks since 2016. Texas took the second highest, receiving the brunt of 14 attacks. Maine, Montana, New Mexico, North Dakota and Vermont were not recorded as having any.

Incurring more attacks than another region, however, does not necessarily equate to a worse impact. For instance, Michigan had the highest number of patient records at risk, with almost 1.1 million people affected by two ransomware attacks, compared to 753,000 exposed in California. The Michigan attacks, it should be noted, affected clientele of Airway Oxygen, a medical supply company, and Wolverine Solutions Group, a medical billing company, meaning that some individuals affected live in different states.

Ransomware attacks can also leave machines offline from hours to weeks and sometimes months. The length of downtime, on average, cost the healthcare industry an estimated $918,000 in total per organization in 2016, with a more recent report suggesting that healthcare cyberattacks cost an average of $1.4 million to recover from and increase the price of downtime to $240.8 million.

The health of patients is the main concern, however, with one study suggesting that data breaches as a whole increase the 30-day mortality rate for heart attacks, leading to 36 more deaths per 10,000 heart attacks annually. Comparitech, taking into account lack of transparency around these figures, estimates that healthcare organizations in the U.S. have lost around $160 million over the last four years to ransomware, and that the attacks could take greater hits on lifesaving equipment and patient data and systems in the future, if proper precautions are not put in place and staff members are not trained to be more careful.

“In most successful ransomware attacks, human error plays a role somewhere along the line,” said Bischoff. “In many cases, this is due to phishing. Criminals pose as trusted personnel or authority figures in emails and other messages to trick hospital staff into clicking on links or attachments containing malware. Staff need to be trained on how to spot phishing emails, report them, and dispose of them properly. Hospitals need to create regular secure backups of their data. If ransomware prevents access to files, the backups can be used to replace those files quickly without major disruption to the hospital.”