Ransomware attacks on the healthcare sector exploded in 2020. No less than 91 U.S. healthcare companies experienced ransomware attacks, 50 more than the past year. 2020 additionally had a big ransomware attack on Blackbaud, which impacted around 100 U.S. healthcare companies.
The very first ransomware attack reported happened in 1989 however earlier types of ransomware weren’t specifically complex and attacks were quick to mitigate. The scenario evolved in 2016 when a different type of ransomware was employed in attacks.
These different ransomware variants make use of strong encryption and remove or encrypt backup files to make sure data recovery is not possible without a ransom payment. In the last 5 years, ransomware was a continuous threat to the healthcare sector. Healthcare companies are more and more targeted recently. Attacks today involve stealing of sensitive data before file encryption, therefore even though files are recoverable from backups, paying the ransom is still necessary to avoid the exposure or selling of stolen information.
Healthcare ransomware attacks impair IT systems, make patient health records inaccessible, interrupt patient care, and endanger patient safety. Retrieving information and restoring systems could last weeks or months and handling the attacks is costly, with substantial loss of income because of outages. In 2020, the University of Vermont Health Network ransomware attack cost $1.5 million per day in recovery expenses and lost income.
The True Cost of Healthcare Ransomware Attacks
Researchers at Comparitech lately performed a study to determine the true price of ransomware attacks on US healthcare companies. The researchers collected data on all ransomware attacks documented by the U.S. Department of Health and Human Services’ Office for Civil Rights since 2016, along with attacks documented via media outlets although were not publicized by OCR as they impacted less than 500 people.
Computing the actual price of healthcare ransomware attacks is hard because only minimal information is publicized. Ransoms could be paid, although the sums are frequently not shared and attacks that impact under 500 people are usually not publicized.
The researchers reported that there were 92 healthcare ransomware attacks in 2020, which include the Blackbaud attack. Over 600 distinct hospitals, clinics, and other healthcare centers were impacted by those ransomware attacks, with another 100 impacted by the Blackbaud attack. Those attacks occurred with the stealing or exposure of the protected health information (PHI) of about 18,069,012 patients.
Ransom demands vary from $300,000 to $1.14 million. The average ransom demand is $169,446 in 2020, according to Coveware. Attackers demanded $15.6 million in ransoms from U.S. healthcare organizations in 2020, and $2,112,744 was confirmed to have been paid to ransomware gangs. The true amount is considerably bigger as ransom payments were usually not publicly shared.
Besides the ransom payment, downtime lasting weeks or months is another cost of ransomware attacks. Coveware research shows that the average downtime was 15 days (Q1 of 2020) to 21 days (Q4 of 2020. According to the Comparitech researchers, the total downtime from the 2020 attacks was 1,669 days. If using the 2017 estimation of downtime cost of $8,662 a minute, the attacks in 2020 cost approximately $20.8 billion, which is two times more than the approximated ransomware attacks cost in 2019 ($8.46 billion).
The researchers determined 270 healthcare ransomware attacks in the U.S.A. from January 2016 to December 2020, which impacted about 2,100 clinics, hospitals, and other healthcare centers. The attacks saw the stealing or encryption of data of over 25 million people, having a total estimated cost of $31 billion to the healthcare industry.
Read the complete details of the Comparitech healthcare ransomware study here.
