Search This Blog

Thursday, December 29, 2022

Healthcare Ransomware Attacks on the Rise

 Ransomware attacks on healthcare facilities, from hospitals to dental offices, have substantially increased in number and severity in recent years, according to a cohort study.

HHS data spanning 2016-2021 showed the annual number of ransomware attacks doubled (43 in 2016 to 91 in 2021) and the number of patients effected increased by more than 11-fold (from approximately 1.3 million in 2016 to more than 16.5 million in 2021), according to Hannah T. Neprash, PhD, of School of Public Health at the University of Minnesota in Minneapolis, and co-authors.

Moreover, these ransomware attacks also increasingly targeted large healthcare organizations with multiple facilities (mean annual marginal effect [ME] 0.08; 95% CI 0.05-0.10, P<0.001), and exposed the personal health information of more patients (ME 66,386; 95% CI 3,401-129,371, P=0.04), they reported in JAMA Health Forum

opens in a new tab or window.

The attacks grew more severe, with data less likely to be restored from backups (ME −0.04; 95% CI −0.06 to −0.01, P=0.002), and they were increasingly associated with delays or cancellations of scheduled care (ME 0.02; 95% CI 0-0.05, P=0.02).

Meanwhile, ransomware victims became more likely to miss reporting the attacks within HHS's required 60-day timeline (ME 0.06; 95% CI, 0.03-0.08, P<0.001).

The findings show these kinds of cyberattacks reflect an ongoing trend affecting healthcare organizations, which might not be clear to many providers because of the lack of data, Neprash emphasized.

"When we started this research, there was a lot of kind of anecdote about the rise of ransomware attacks on hospitals and doctors offices and everything in between, but there really wasn't much rigorous evidence," Neprash told MedPage Today. "So we set out to fill that vacuum."

"This problem is clearly getting worse," she added. "There's some evidence that the sophistication of the ransomware attacks is increasing in a way that's concerning."

The data provides context to the glut of recent breaking news stories about these attacks over the past few years, such as the 2021 attack on Southern California's Scripps health systemopens in a new tab or window. More recent reports have indicated that specific types of attacks, such as Ryuk ransomwareopens in a new tab or window, have had an outsized impact on the healthcare industry.

Calls to emphasize cybersecurity awareness and preparednessopens in a new tab or window to deal with ransomware attacks have grown, especially in light of the ongoing falloutopens in a new tab or window that has affected healthcare systems after these attacks. In one prominent example, the Scripps attack led to class action lawsuitsopens in a new tab or window against the system.

Despite the attention these individuals attacks garnered, Neprash said the lack of data on the trends, impact, and severity of these attacks could be hindering the healthcare industry's ability to sufficiently address this issue.

"There's a lack of awareness, and a lot of that is driven by the lack of data on this topic," she said. "There's been so much secrecy. I don't think anyone wants to advertise the fact that their hospital system fell victim to a ransomware attack, but given how common it's become, I think it is beyond time to start talking about this and start doing something to prevent this."

Neprash and colleagues documented 374 ransomware attacks during the study period from 2016 to 2021. In total, these attacks affected personal health records of about 42 million patients. Some 42% of the attacks shut down the facilities' electronic systems, 10.2% led to canceled appointments, and 4.3% resulted in ambulance diversions.

Every major category of healthcare service facilities saw a rise in ransomware attacks during the study period:

  • Clinic (26 incidents in 2016 vs 51 in 2021)
  • Hospital (13 vs 23)
  • Ambulatory surgical center (8 vs 15)
  • Mental/behavioral health (3 vs 18)
  • Dental (2 vs 12)
  • Post acute care (1 vs 4)
  • Other (8 vs 22)
Neprash noted that, while these trends are worrisome, the data could also be a signal that changes are needed to improve digital security throughout the healthcare industry.

"Healthcare is a sector that's always been a little bit behind the curve on IT adoption," Neprash said. "It took a lot of work to get most health care providers to adopt EHRs, and now that they have, I think there's a lot of opportunity to improve cybersecurity and adopt evidence-based best practices."

Disclosures

Authors declared they had no relevant financial interests.

Primary Source

JAMA Health Forum

Source Reference: opens in a new tab or windowNeprash HT, et al "Trends in ransomware attacks on us hospitals, clinics, and other health care delivery organizations, 2016-2021" JAMA Health Forum 2022; DOI: 10.1001/jamahealthforum.2022.4873.


https://www.medpagetoday.com/special-reports/exclusives/102427

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.