Story at a glance
- In this time window, personal health information exposure grew more than 11-fold, suggesting attacks are growing in sophistication and frequency.
- Findings are based on an analysis of 374 attacks throughout the country.
- Clinics were the most targeted health care delivery systems, followed by hospitals and other delivery centers.
The annual number of ransomware attacks against U.S. hospitals, clinics and other care delivery organizations more than doubled from 43 to 91 between 2016 and 2021, new research shows. The security breaches exposed personal health information of an estimated 42 million patients.
Findings were published in JAMA Health Forum and include data on 374 attacks throughout the country. During the five years studied, researchers found attacks exposed larger quantities of personal health data over time and became more likely to target large, multi-facility organizations.
Ransomware can prevent users from accessing electronic systems while perpetrators demand a ransom to restore access. Unlike other data breaches, the goal of the attacks is to disrupt operations rather than steal data, authors wrote. The software is a major cybersecurity threat and can jeopardize patient outcomes when health organizations are targeted.
America is changing faster than ever! Add Changing America to your Facebook or Twitter feed to stay on top of the news.
When a health care delivery organization’s system goes down, it can lead to delayed or canceled surgeries or appointments. Emergency departments may also be forced to divert ambulances, threatening patient safety and outcomes, researchers explained in the study.
Several government agencies warned about the increase in attacks coinciding with the COVID-19 pandemic— a time when health systems were already strained due to historic demand.
Of all the attacks included in the study, almost half disrupted care delivery, while over time, the attacks were less likely to be restored from data backups.
The amount of personal health information exposed in attacks increased more than 11-fold from 2016 to 2021, growing from 1.3 million to more than 16.5 million.
Evidence showed actors made some or all of the health information public in around 16 percent of attacks, “typically by posting it on dark web forums where stolen data are advertised for sale by including a subset of records,” authors explained in the study.
Clinics were the most common targets of the attacks, followed by hospitals, other delivery centers, ambulatory surgical centers, and mental/behavioral health organizations. Dental practices and post–acute care organizations were also targeted.
Around 9 percent of attacks lead to disruptions lasting longer than two weeks.
Researchers cautioned the totals reported are likely an underestimate of actual events due to underreporting.
“Missing attacks and delayed reporting suggest opportunities for legislators who wish to strengthen data collection around cyberattacks, particularly ransomware, so as to shape an informed and well-targeted policy response,” they wrote.
When it comes to defense against the attacks, some underfunded or vulnerable organizations may not have the time or money to comply with existing cybersecurity recommendations, researchers added. More research is needed to address this vulnerability and motivate increased investment in health system information technology budgets, they said.
Published on Jan 06,2023