Cyberattacks against health care facilities, a near-constant occurrence in the U.S., often lead to increased patient mortality rates, a new study has found.
The study, conducted by the Ponemon Institute, a Washington, D.C., think tank, interviewed more than 600 information technology professionals across more than 100 health care facilities. Its findings are some of the most concrete evidence to date that the steady drumbeat of hackers attacking American medical centers leads to patients’ receiving worse care and being more likely to die.
Two-thirds of respondents in the Ponemon study who had experienced ransomware attacks said they disrupted patient care, and 59% of them found they increased the length of patients’ stays, straining resources. Almost one-quarter said they led to increased mortality rates at their facilities.
In a ransomware attack, hackers gain access to an organization’s computer networks, lock up its data and demand payment. They have become a scourge for the health care industry in recent years. Hospitals don’t always publicize when they’ve been victims; documented attacks, however, have increased every year since 2018, culminating in 297 known attacks last year, according to a survey the cybersecurity company Recorded Future provided to NBC News.
There have been at least 12 ransomware attacks on health care facilities in the U.S. this year, said Brett Callow, an analyst at the ransomware company Emsisoft. But because some health care companies represent multiple locations, those attacks accounted for 56 different facilities, he said.
More than half of health care facilities represented in the survey had been infected with ransomware in the past three years, the Ponemon study found.
Health care facilities run the gamut from giant hospital chains to small individual shops with only a handful of employees and few or no dedicated IT and cybersecurity staffers. Larger hospital networks may have more centralized experts, but they are also larger targets, and a single attack can slow patient care at hundreds of hospitals across the country, as happened in the attack on Universal Health Services in 2020.
There has been only a single public claim that named a specific person said to have died because of a ransomware attack in the U.S. In 2020, an Alabama woman sued her hospital, which had been the victim of a ransomware attack, after her newborn baby died. The case is ongoing.
But there’s long been little doubt that persistent cyberattacks against hospitals have caused serious harm to patients, said Josh Corman, a vice president at the cybersecurity company Claroty and the author of a landmark report on ransomware’s effects on health care for the Cybersecurity and Infrastructure Security Agency, the U.S. government’s main cyber watchdog.
“We know that delays in care affect mortality rates, and we know that cyberattacks introduce delays,” Corman said.
While ransomware attacks are generally regarded as private criminal enterprises, some of the most prolific hackers behind them have ties to governments. Conti, a Russian-speaking gang behind an attack on Ireland’s national health care service that led to months of disruptions, expressed some ties to Russian intelligence in leaked chats, and the State Department has claimed it has links to the Russian government.
The U.S. has also accused North Korea of being responsible for a different strain of ransomware that targets American hospitals, called Maui.