On a Sunday in early October, CommonSpirit Health, the second-largest hospital chain in the U.S., detected unusual activity on its network. What turned out to be a ransomware attack forced many of CommonSpirit’s more-than 140 hospitals across the country to shut down their electronic health records, switch to charting with pen and paper, wait days for laboratory results, and cancel or reschedule appointments. More than a month after discovering the attack, some hospitals in the CommonSpirit network still lacked full access to their electronic health record systems.
The CommonSpirit hack is only one recent high-profile example of an epidemic of ransomware attacks in healthcare, one that is causing regulators and policymakers to take note. Since the start of the pandemic, the FBI and CISA have issued numerous warnings about ransomware activity in healthcare. Earlier this summer, the Cyberspace Solarium Commission, a bipartisan body designed to develop strategic approaches to improving cybersecurity, sent a letter to Health and Human Services (HHS) Secretary Xavier Becerra requesting a briefing on healthcare ransomware attacks. Bipartisan legislation has been introduced in Congress to improve healthcare cybersecurity, with movement toward additional proposals. And the White House has announced upcoming rulemaking regarding cybersecurity standards for hospitals.
Unfortunately, despite many one-off reports of ransomware attacks in the healthcare sector, comprehensive data about their frequency and scope is limited. In a new JAMA Health Forum Original Investigation, we and our co-authors address this data gap. We have created the Tracking Healthcare Ransomware Events and Traits (THREAT) database, a comprehensive accounting of 374 ransomware attacks on U.S. healthcare delivery organizations from 2016-2021. To assemble this database we used proprietary and publicly available data, supplemented with news reports, press releases, and breach notification letters. While many cybersecurity firms conduct similar tracking of ransomware attacks and publicize their findings, ours is the first peer-reviewed analysis of a database with transparent data collection protocols.
Using the THREAT database, we are able to quantify the scope of the healthcare ransomware threat. From 2016 to 2021, the number of ransomware attacks on healthcare providers more than doubled. Attack severity has also increased in multiple ways: in 2021, 70% of ransomware attacks affected multiple facilities (that is, multiple hospitals) simultaneously, up from only 18% in 2016. The average ransomware attack in 2021 exposed the protected health information (PHI) of 229,000 patients, compared to only 37,000 in 2016. PHI was also more likely to be sold or posted online in 2021 than it was in 2016. During the six years we studied, ransomware attacks exposed the PHI of a cumulative 42 million patients, more than 10% of the U.S. population. These findings are likely underestimates since, despite nearly a year of meticulous data collection, the THREAT database likely under-captures the full extent of ransomware attacks on healthcare providers.
When a ransomware attack disrupts the world’s largest meat supplier, consumers feel the cost at the grocery store; when a ransomware attack disrupts a hospital, the true cost may be measured not only in dollars but also in human lives. In addition to stealing data, ransomware attacks are frequently designed to disrupt business operations, in order to motivate prompt payment of the demanded ransom. In healthcare, this means disrupting necessary care for sometimes critically ill patients. Almost half of the ransomware attacks we studied showed tangible evidence of operational disruptions, but this varied by type of healthcare provider. More than three in four attacks on hospitals caused operational disruptions. These disruptions take many forms, including disabled electronic health records, canceled surgeries, and ambulance diversion (a protocol directing incoming ambulances to other facilities, typically used to temporarily relieve emergency room overcrowding). Our team’s future research agenda includes quantifying the effects of ransomware attacks on patient safety and outcomes.
As healthcare cybersecurity receives increasing attention, we encourage legislators and regulators to prioritize evidence-based policy options and to expand data collection with the goal of facilitating a better understanding of this ever-growing threat. In particular, we offer three recommendations to policymakers interested in supporting a data-driven approach to enhancing cybersecurity in healthcare.
1) Improve existing data collection.
Entities subject to the Health Insurance Portability and Accountability Act (HIPAA) must notify HHS of a data breach within 60 calendar days of breach discovery. HHS makes this information public when the reported breach exposed the data of 500 or more individuals. Our investigation revealed two major weaknesses with the current reporting regime:
First, more than half of all ransomware attacks were reported late (more than 60 days after discovery). From 2016 to 2021, late reporting grew more rather than less common. It is unclear whether current reporting requirements have a sufficiently strong enforcement mechanism, and recent news coverage suggests that the office in charge of investigating reported data breaches may be under-resourced.
Second, one in five ransomware attacks wasn’t reported at all. Roughly 20% of the ransomware attacks in the THREAT database did not appear in the HHS database. This absence may be due to low PHI exposure (some of the attacks may have exposed the PHI of fewer than 500 individuals). It may also reflect confusion about whether a ransomware attack needs to be reported when the attackers “merely” encrypt the information rather than steal it as well. Guidance from HHS states that a health provider does not need to report a ransomware attack if organizations can demonstrate a low probability that PHI has been exposed. As such, the existing reporting requirements provide an incomplete view into the full scope of the ransomware threat. Policymakers have an opportunity to update reporting requirements to better serve the needs of patients and researchers.
2) Expand data collection.
Researchers and policymakers need additional information to fully understand the harms of cyberattacks in healthcare. For example, it seems crucial to know whether paying (rather than refusing) the ransom during a ransomware attack allows hospitals to resume care-as-usual faster. We initially set out to compare the length of operational disruptions for healthcare providers who did and did not pay the ransom. While some organizations have been very public about their decision to pay or not pay demanded ransoms, most have not, and this lack of information frustrated our inquiry. Although not without its costs, legislation could require the reporting of ransom demands and payments in the event of ransomware attacks, in and beyond healthcare. This information would, for example, allow policymakers to fully understand the tradeoffs involved in law enforcement’s decisions to withhold assistance during ransomware attacks on hospitals.
3) Align cybersecurity recommendations with the realities of healthcare delivery.
The list of recommended IT best practices for avoiding ransomware attacks is long and expensive. It’s not clear to us whether these recommendations are actionable for the average hospital, let alone most clinics (which represent the plurality of ransomware victims among healthcare providers), given existing IT budgets and workforce challenges. Right now, most healthcare organizations report devoting <10% of their IT budgets to cybersecurity and hospitals struggle to hire cybersecurity personnel.
As legislative and regulatory energy builds to mandate minimum cybersecurity protocols in healthcare, we urge policymakers to prioritize evidence-based actions that have been shown to work within the context of healthcare delivery organizations. It is crucial to not underestimate either the complexity of healthcare or the growing pains of an industry that only recently switched from pen-and-paper to digital records. There are likely many opportunities to improve cybersecurity in healthcare, but doing so will require both sticks (requiring minimum cybersecurity standards) and carrots (subsidies and technical assistance). And the approaches will have to be tailored to the healthcare provider at issue: a one-size-fits-all solution is unlikely to fit anyone particularly well.
– Hannah Neprash, Alan Z. Rozenshtein, Lawfare
