Hospitals and health systems continue to be targeted by ransomware hackers, disrupting patient care and costing millions of dollars in recovery costs.
Here are 10 things healthcare executives should know about ransomware attacks:
1. What is ransomware?
Ransomware is a type of malicious software that hackers place on victims' servers, locking them out of their systems and encrypting data until a ransom is paid. Victims often shut down their IT networks to contain the hack and stop it from spreading. The hackers often steal data to hold for ransom.
The cybercriminals gain entry through such methods as email phishing, fake updates or antivirus installs, or stealing or guessing log-in credentials to gain entry to remote access programs.
2. Why are hospitals and health systems targeted?
The hospital industry is a major target for ransomware gangs because of the monetary value of healthcare data on the black market and the high-stakes disruption caused by interrupting patient care. Health system ransomware attacks nearly doubled in 2023, according to cybersecurity firm Emsisoft.
Impairing the IT systems of hospitals and health systems is, literally, an issue of life and death, so hospitals and health systems might feel more pressure to pay ransom than other less critical industries. Researchers at Minneapolis-based University of Minnesota found that ransomware attacks increase mortality rates by 20% to 35% for patients admitted to hospitals at the time of the hacks.
3. When was the first ransomware attack on a hospital or health system?
The first known hospital ransomware attack took place in 2016 at Hollywood Presbyterian Medical Center in Los Angeles. Hackers encrypted the hospital's IT systems, leading the organization to pay $17,000 in ransom to get them unlocked. Things have escalated since then. Change Healthcare, a UnitedHealth Group claims processing subsidiary, forked over $22 million to hackers after a February 2024 ransomware attack.
4. What has been the largest health system ransomware attack?
"Largest" can be a subjective term because the severity of the immediate interruptions caused by the cyberattack varies widely. Additionally, secondary effects, such as data exposure and lawsuits, can continue impacting patients for months after the attack.
That said, the nation's two largest nonprofit health systems have both fallen victim to ransomware attacks in recent years: Chicago-based CommonSpirit Health in October 2022 and St. Louis-based Ascension in May 2024.
CommonSpirit reported a $160 million loss from the cyberattack. Beyond the monetary damages is the stress these types of events cause hospital and health system staffers.
Hackers' targets have gotten bigger over time as the attacks have become more sophisticated. While small hospitals are still victimized by ransomware gangs from time to time, many hacks now focus on large health systems. In 2023, Ardent Health Services, a 30-hospital system based in Nashville, Tenn., and Prospect Medical Holdings, a 16-hospital network headquartered in Culver City, Calif., were infected with ransomware.
5. Who is attacking hospitals?
Hospitals and health systems are typically targeted by "full-time professional cyber gangs that are well-trained, well-equipped, well-funded and often supported and sheltered by foreign governments," according to an article by John Riggi, national adviser for cybersecurity and risk for the American Hospital Association.
The groups often morph as authorities play hacker "whack-a-mole," but the gangs most actively targeting healthcare as of April 2024 were LockBit, BlackCat/ALPHV and BianLian, according to HHS' Health Sector Cybersecurity Coordination Center, or HC3. LockBit has hacked several hospitals in recent months, while BlackCat/ALPHV claimed responsibility for the cyberattack on Change Healthcare, the largest-ever healthcare ransomware incident, potentially compromising the data of one-third of Americans.
These criminal organizations evolve quickly. HHS, the FBI and the Cybersecurity and Infrastructure Security Agency warned in early May that the Black Basta ransomware gang, first identified in 2022, was increasingly targeting healthcare. That same month, the group was linked to the cyberattack that shut down Ascension's IT network.
6. How are ransomware tactics evolving?
In addition to greater scope and frequency, ransomware attacks on hospitals are also becoming more cruel.
In 2023, a cybercriminal group declared children's hospitals off limits; this year, cyberattackers hacked Lurie Children's Hospital of Chicago, causing appointment cancellations and confusion among pediatric patients and their families. The LockBit ransomware gang leaked nude breast cancer patients to the dark web after Allentown, Pa.-based Lehigh Valley Health Network refused to hand over ransom.
In late 2023, hackers threatened to send SWAT teams to the homes of Seattle-based Fred Hutchinson Cancer Center patients if the organization didn't pay up. Cybercriminals have also been extorting patients directly via email, demanding money in exchange for not posting their personal and health information online.
7. Should hospitals and health systems pay the ransom?
The American Hospital Association and federal law enforcement agencies advise against paying ransom because it encourages future attacks and doesn't guarantee the data will be returned.
"Our guidance is, hopefully, organizations will be able to prepare enough and that have immutable backups to restore from then have the defensive measures and the recovery procedures in place that they never have to face that very, very difficult decision," Mr. Riggi of the AHA told Becker's.
Ransomware negotiators told Politico that healthcare providers often end up paying the ransom to retrieve their stolen patient data and get their systems quickly restored.
"Right now, a lot of these organizations have two options: They stop operating and, in healthcare, someone might die, or they pay the ransom," Kurtis Minder, a ransomware negotiator with cybersecurity firm co-founder of GroupSense, told the news outlet.
Ransom amounts in ransomware attacks are often undisclosed due to legal obligations, potential encouragement of further attacks and concerns about reputational damage. Additionally, accurately measuring the full financial impact of such attacks can be complex.
Some dollar figures are reported and can provide a general sense of the amount of money demanded or stolen. In early 2024, a cybercriminal group reportedly asked for $900,000 in ransom from a Chicago safety-net hospital while another ransomware gang allegedly sold data stolen from a Chicago children's hospital on the dark web for $3.4 million.
Reported ransom figures do not capture the full extent of financial losses incurred in ransomware attacks, such as lawsuits or expenses incurred from suspended services.
8. Are hospitals and health systems the only healthcare victims?
Far from it. Hackers have learned that they can more easily get patient data — and obtain more of it — by targeting the many third-party technology vendors that work with health systems.
Thus why Change Healthcare, which handles patient records for 1 in 3 Americans — much more than any single health system — was targeted. Andrew Witty, CEO of Change parent company UnitedHealth Group, confirmed the company paid a $22 million ransom to the hackers.
In healthcare, over a third of data breaches come through third-party vendors, more than in any other industry, according to cybersecurity researcher Black Kite. Third-party cyberattacks are "by far the biggest risk we see," John Houston, vice president of information security and privacy for Pittsburgh-based UPMC, told Becker's in 2023.
9. What have leaders said about ransomware attacks?
On the shift to ransomware
"Five years ago, banking trojans designed to skim user credentials (like Emotet) seemed to be all the rage; WannaCry had just taken down most of Western Europe's healthcare infrastructure, which highlighted how ill-prepared healthcare was for both state-sponsored and ransomware attacks; and ransomware attackers were asking for a whopping $500 to restore enterprise systems," Aaron Weismann, chief information security officer of Berwyn, Pa.-based Main Line Health, told Becker's in 2022. "Now, ransomware seems to be the primary threat, with attacks focused on healthcare providers and their downstream service vendors, plus ransoms being levied in the millions and tens of millions of dollars."
On how hackers get in
"Healthcare has become a much bigger target in ransomware — this point can't be overstated," Michael Kearns, CISO of Omaha-based Nebraska Methodist Health System, told Becker's in 2022. "Email is our weakest link, but the bad guys have figured out that they are better off going in through the loading dock via third-party vendors like SolarWinds or Exchange. We are seeing more threat actors using vendors to get a foothold in your network."
On prevention
"Unfortunately, many of the organizations that fall victim to ransomware could have avoided the attack by employing basic hygiene," Anahi Santiago, CISO of Newark, Del.-based ChristianaCare, told Becker's in 2023. "Often the attacks leverage a vulnerability that could have been mitigated prior to the attack — that is not to say that this happens in every case. Patch and vulnerability management practices should be employed across the organization and serve as core components in any cybersecurity program."
On what the government can do to help
"For one thing, it is evident that we do not just need regulation and policies for cybersecurity in healthcare — we also need a federally-mandated ecosystem to assist with and standards for the cleanup and restoration activities after such an event," Saad Chaudhry, chief digital and information officer of Annapolis, Md.-based Luminis Health, told Becker's in 2024.
10. What are the latest regulatory and policy developments regarding hospitals and ransomware?
The Biden administration plans to introduce cybersecurity requirements for hospitals. Hospitals that don't comply could lose up to 100% of their yearly CMS payment increase and face extra penalties of up to 1% of their base payments, according to one proposal.
The White House also intends to offer free cybersecurity training for small, rural hospitals, while HHS said in May it plans to invest $50 million in autonomous cyber defenses for hospitals.
The AHA opposes mandatory cybersecurity standards, saying any lost money from CMS-imposed fines would hamper hospitals' ability to fight cyberattacks.
"The primary source of cyber-risk exposure facing the healthcare sector originates from vulnerabilities in third-party technology and service providers, not a hospital's primary systems," the AHA told Bloomberg. "The AHA supports a sectorwide approach to cyber-resiliency. We will continue to work with policymakers on an approach that doesn't result in unfunded mandates and a focus on the entire critical infrastructure of the healthcare sector."
Bills have also been introduced in the U.S. House and Senate that would require HHS' inspector general to conduct regular assessments of the agency's cybersecurity systems. Meanwhile, proposed legislation in the Senate would advance payments to hospitals in the event of a cyberattack if they met minimum cybersecurity requirements.