US Healthcare Ransomware Costs $77.5 Billion In Downtime 

A study of Ransomware attacks on healthcare companies, directly dealing with patients and their data over the past seven years, the cost in downtime alone hit a staggering $77.5 billion dollars.

The report by Comparitech reviewed 539 confirmed ransomware attacks on US healthcare organizations, affecting some 52 million patient records and 10,000 separate facilities. The report covers the period form 2016 – 2023.

The impact of a forced shutdown on healthcare providers can be catastrophic, crippling key systems and preventing them from accessing patient data.  

The study shares the example of CommonSpirit Health, an Illinois-based healthcare system with 142 hospitals and more than 700 care sites, that suffered a ransomware attack in October 2022. For just this one provider, the cost of the attack so far has hit over $160 million and rising. That attack took 400 care sites offline for three weeks.

Key Findings in study:

  • 539 separate ransomware attacks on medical organizations
  • 9,780 separate hospitals/clinics/organizations affected
  • 52,298,595 individual patient records were impacted
  • Ransomware amounts varied from $1,600 to $10 million
  • Downtime varied from minimal disruption (thanks to frequent data backups) to months upon months of recovery time
  • Average of 14 days downtime for a total of 6,347 days.
  • Hackers demanded more than $39 million across 34 attacks and received payment in 31 out of 160 cases where the medical organizations disclosed whether or not they paid the ransom. They are more likely to disclose that they haven’t paid the ransom than if they have)
  • The overall cost of these attacks is estimated at around $77.5 billion
  • Conti, Maze, Hive, Pysa, and LockBit were the most prolific hackers. The first three dominated in 2020/21 with Hive taking over in 2022 and LockBit accounting for the most attacks so far this year

Jan Lovmand, CTO, BullWall had this comment:

  “These findings are deeply concerning and not surprising. The financial toll of $77.5 billion is substantial, but the real human cost is immeasurable. This is a full-on battle. Ransomware attacks on healthcare facilities pose a grave threat to public health and safety. These assaults not only shut down delivery of critical medical services, causing delays in essential surgeries and treatments that jeopardize patients’ lives, but they also breach the sanctity of sensitive patient data. The aftermath of such attacks can be catastrophic, leaving hospitals grappling to recover their data and regain control over their systems. Whether the ransom is surrendered or not, the toll in both financial losses and compromised patient care deals a crippling blow to these already strained institutions.”

   “Hospitals and healthcare organizations have a bullseye painted on them in the eyes of cybercriminals. A heavy reliance on technology to manage a huge range of functions, from patient records to surgical equipment, provides a vast attack surface of uniquely susceptible targets. This vulnerability is further exacerbated by their meager resources allocated for bolstering cybersecurity defenses. However, with ransomware showing no sign of abating, it is imperative to invest in countermeasures that can stop these attacks without necessitating a complete shutdown of IT systems and healthcare services. A good Ransomware containment defense and off-site backups are table stakes.”

Emily Phelps, Director, Cyware follows with this:

   “Healthcare continues to be one of the most targeted industries because of their valuable data and limited security resources. Because of the complexity to secure vast organizations that maintain new and legacy systems, adversaries can exploit gaps in their defenses. With advanced technologies such as AI, threat actors can also operate faster, further complicating an already difficult situation for these healthcare entities.

   “To mitigate the risks, healthcare organizations must be able to move from a reactive to a proactive security posture. To do this, they need access to relevant, context-rich threat intelligence which helps them understand what threats should be prioritized – healthcare ISACs can help provide this to organizations that become members. But the intelligence must also be prioritized and orchestrated appropriately in order to take meaningful action. Security orchestration and collaboration, combined with automated threat intelligence platforms help ensure the right information gets to the right people at the right time.”

I’ve said it before and I’ll say it again. With the exception of education, healthcare is a prime target for threat actors. Those in healthcare need to do everything possible to reduce their attack surface as it’s high time that they stop being prime targets.

Leave a Reply