Skip to main content

All Access Subscription

Get unlimited access to our full publication and article library.

Get Access Now

Interested in Group Sales? Learn more

Hospital Report logo small


The premier resource for hospital professionals from Relias Media, the trusted source for healthcare information and continuing education.

Ransomware Attacks on Healthcare Entities On the Rise


By Jill Drachenberg, Editor, Relias Media

Ransomware attacks on healthcare entities can disrupt operations, leading to canceled appointments, exposed protected health information (PHI), and potential threats to patient safety. These attacks doubled between 2016 and 2021, according to recent research, suggesting healthcare providers must focus on strengthening cybersecurity practices.

Investigators studied 374 ransomware attacks on healthcare entities between 2016 and 2021. The number of attacks doubled from 43 in 2016 to 91 in 2021. These attacks exposed the PHI of nearly 4.2 million patients. PHI exposure data was unavailable for 84 ransomware incidents because they were not reported to the Department of Health and Human Services (HHS). Most entities that reported to HHS did so outside of the mandated 60-day time frame. One in five organizations restored data from backups. Some of all PHI from 59 were found on the dark web.

Care disruptions occurred across 166 of the incidents, including system down time, delayed or canceled appointments, canceled procedures, and ambulance diversion. Thirty-two attacks caused disruptions exceeding two weeks. “These operational disruptions may harm patients, especially those experiencing emergencies and for whom timely treatment is crucial,” the authors concluded. “Further study is needed to quantify an empirical association between ransomware attacks and patient outcomes.”

Investigators also determined the cybercriminals are becoming more sophisticated. During the study period, the likelihood of healthcare entities regaining their data from backups decreased, and it became more likely their PHI would become public. During the study period, the probability that a ransomware attack affected multiple facilities simultaneously (i.e., a larger organization) increased by eight percentage points annually,” the authors noted. “Mental/behavioral health care delivery organizations were increasingly likely to experience ransomware attacks. While there was no statistically significant increase over time in operational disruptions overall, there was an increase in the likelihood that an attack was associated with delays or cancellations to scheduled care in the share of attacks that involved ambulance diversions.”

Law enforcement and cybersecurity experts discourage paying ransom because it might encourage cybercriminals to continue — and it does not always guarantee release of the ransomed computer systems.

We’ve seen that 80% of organizations that paid the ransom were hit a second time, and even a third time,” Israel Barak, chief information security officer with Cybereason, told Healthcare Risk Management. “Sixty percent of them said that the second attack came in less than a month after the first attack. Sixty-seven percent reported that the threat actors demanded a higher ransom amount that second time. Some were even hit a fourth time.”

Healthcare organizations must be proactive instead of reactive to ensure a swift response and resolution if they are hit with a ransomware attack. This includes creating a detailed incident response plan, training employees on implementing the plan, and educating employees on recognizing threats such as phishing emails. “You need to practice that plan regularly and underpin it with a strong culture of security awareness,” Carlos Morales, senior vice president of solutions at Neustar Security Services, told Healthcare Risk Management. “This keeps your defense top of mind for everyone in your organization so that you can ensure a swift and decisive response if there is an incident.”