389 healthcare companies hit by ransomware this year, Microsoft finds
Healthcare organizations lose up to $900,000 per day on downtime alone, data shows.
Photo: Andrew Brookes/Getty Images
This year, 389 healthcare institutions in the U.S. were attacked with ransomware, which caused network shutdowns, offline systems, rescheduled appointments and delays in critical procedures, finds a new report from Microsoft.
The report, which aggregated information from other reports and data sets, cited a Comparitech analysis showing that the attacks are costly – healthcare organizations lose up to $900,000 per day on downtime alone, the data showed.
According to a recent U.S. government interagency report cited by Microsoft, ransomware attacks have surged by 300% since 2015, largely because ransomware-as-a-service (RaaS) has lowered the barrier for entry for hackers who lack technical expertise, with other ransomware groups finding safe harbor in Russia.
Out of the 99 healthcare organizations that admitted to paying the ransom and disclosed the ransom paid, the median payment was $1.5 million, and the average payment was $4.4 million, according to the HIPAA Journal.
WHAT'S THE IMPACT?
Citing information published in SSRN, Microsoft said the disruption to healthcare operations caused by ransomware attacks can severely impact the ability to effectively treat patients – not only at affected hospitals, but also at those in nearby areas, which absorb displaced emergency department patient volume.
Another study referenced by Microsoft and published in JAMA showed how a ransomware attack against four hospitals (two attacked and two unaffected) led to increased emergency department patient volume, longer wait times and additional strain on resources.
In that case study, the unaffected hospitals had to absorb patients from the affected hospitals. Stroke code activations at the nearby hospitals nearly doubled, from 59 to 103, while confirmed strokes rose by 113.6%, increasing from 22 to 47 cases.
The survival rate for out-of-hospital cardiac arrests with favorable neurological outcomes dropped drastically for the unaffected hospitals during the attack, falling from 40% pre-attack to 4.5% during the attack phase. And during the attack, the unaffected hospitals had notable increases in patients leaving without being seen, waiting room times, and total length of stay for admitted patients; the median waiting room time increased from 21 minutes pre-attack to 31 minutes during the attack, for example.
According to Microsoft, part of the reason ransomware has become such a pronounced problem for healthcare is the sector's track record of making ransom payments, likely because they would rather pay millions than experience disruptions.
In fact, according to a recent report based on a survey of 402 healthcare organizations, 67% experienced a ransomware attack in the past year. Among these organizations, 53% admitted to paying ransoms in 2024, up from 42% in 2023.
THE LARGER TREND
A June report from KnowBe4 found the healthcare sector experienced 1,613 cyberattacks per week in the first three quarters of 2023, nearly four times the global average, and a significant increase from the same period the previous year.
This surge has contributed to a steep rise in cyberattack costs for healthcare organizations, with the average breach cost nearing $11 million – more than three times the global average – making healthcare the costliest sector for cyberattacks.
Ransomware attacks have dominated, accounting for over 70% of successful cyberattacks on healthcare organizations in the past two years.
Jeff Lagasse is editor of Healthcare Finance News.
Email: jlagasse@himss.org
Healthcare Finance News is a HIMSS Media publication.