At Least 141 Hospitals Directly Affected by Ransomware Attacks in 2023
Last year was a particularly bad year for ransomware attacks. According to an analysis by the cybersecurity firm Emsisoft, 46 hospital systems suffered ransomware attacks in 2023, up from 25 in 2022 and 27 in 2021. Across those 46 attacks, at least 141 hospitals were directly affected and experienced disruption due to the lack of access to IT systems and patient data.
It is difficult to accurately report on ransomware attacks in the healthcare sector, as many victims fail to disclose whether ransomware was used. Breach notification letters to the affected individuals and state Attorneys General often describe ransomware attacks as cyberattacks, unauthorized access, hacking incidents, security incidents, or encryption events, and as such, the number of attacks experienced in the sector is likely to be significantly understated. Emsisoft’s State of Ransomware in the U.S.: Report and Statistics 2023 reveals 2,207 U.S. hospitals, schools, and governments were directly impacted by ransomware in 2023 and many others were indirectly impacted via attacks on their supply chains.
Without access to patient records and essential IT systems, hospitals are often forced to put their emergency departments on redirect, with ambulances sent to neighboring healthcare facilities. Other hospitals in the region are placed under an increased strain due to the sharp increase in the number of patients, and the resource constraints caused by the increase in patients has a negative impact on time-sensitive conditions such as acute stroke.
The outages caused by these attacks mean scheduled appointments often need to be canceled and rescheduled and bottlenecks occur with lab testing and radiology, resulting in delays to diagnosis and treatment, longer patient stays, a slowing of patient throughput, and the disruption inevitably results in poorer patient outcomes. While there have been no reported deaths in the United States as a direct result of ransomware attacks, studies have shown that following a ransomware attack, there is an increase in medical complications and mortality rates. One study, conducted by McGlave, Neprash, and Nikpay of the University of Minnesota School of Public Health, found that in-hospital mortality for patients already admitted at the time of a ransomware attack increased. The attacks also caused a 17%-25% reduction in hospital volume during the initial attack week, and they estimated that between 2016 and 2021, ransomware attacks killed between 42 and 67 Medicare patients.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
These attacks naturally have a significant financial impact. According to the Verizon Cost of a Data Breach Report, the average cost of a healthcare data breach increased to its highest ever level in 2023, costing an average of $11 million, a 53% increase since 2020. Emsisoft said 32 of the 46 attacks on health systems resulted in sensitive data, including HIPAA protected health information, being stolen.
The average ransom payment in 2022 was $5,000, but by 2023 the average payment increased by 29,900% to around $1.5 million. The increased profits from ransomware attacks allow ransomware groups to scale their operations, pay initial access brokers, and purchase zero-days, which means even more attacks can be conducted. Fewer victims are now paying ransoms which means ransom demands need to increase to make up for the shortfall. Some ransomware groups have also started engaging in more aggressive tactics, such as contacting patients and demanding payment. Some attacks on plastic surgery centers have resulted in intimate images being publicly posted and patients being told they needed to pay to have those images removed from the Internet. One group contacted individual patients and threatened them with the release of their sensitive data and demanded $50 per patient to delete their data.
Many ransomware groups operate out of countries that turn a blind eye to the attacks, and some nation states are thought to use ransomware groups as proxies. While international law enforcement operations have successfully disrupted some ransomware groups, the individuals involved are rarely brought to justice. With so much money involved and a low risk of being caught, attacks are unlikely to reduce and may even continue to increase. The solution suggested by Emsisoft and many other experts is simple. Since ransomware attacks are conducted by financially motivated threat actors, making attacks unprofitable is the easiest way of tackling the problem. Governments should therefore ban ransom payments and cut off this very lucrative income stream.
“Current counter-ransomware strategies amount to little more than building speed bumps and whacking moles. The reality is that we’re not going to defend our way out of this situation, and we’re not going to police our way out of it either. For as long as ransomware payments remain lawful, cybercriminals will do whatever it takes to collect them,” said Emsisoft Threat Analyst, Brett Callow. “The only solution is to financially disincentivize attacks by completely prohibiting the payment of demands. At this point, a ban is the only approach that is likely to work.”
