Cybercriminals have accessed the medical records of more than 40 million Americans since 2016, as the number of healthcare hacks doubled.
About half of the hacks caused dangerous interruptions to care, such as ambulance delays, canceled surgeries and difficulty accessing digital prescriptions.
According to a report released today, one in six cyber breaches led to the theft and sale of personal health information on the dark web.
Researchers have warned that the increased frequency and sophistication of cyberattacks on healthcare threaten patient safety as well as privacy. They say the US government is failing to crack down on healthcare providers who fail to harden their systems or report ransomware attacks quickly enough.
Last month, DailyMail.com reported that a toddler in Iowa was accidentally given a megadose of opioids and ‘urgent’ cancer patients had their surgeries delayed for a month after the failure of a multi-state hospital computer system.
The number of cyberattacks on healthcare providers has more than doubled since 2016 – with 91 per year in 2021 compared to 43 five years ago
Up to 80% of hacks resulted in disruptions to operations, which lasted for weeks
The latest analysis, by researchers at the University of Minnesota in Minneapolis, looked at 374 ransomware attacks in the United States between January 2016 and December 2021.
The results showed that the frequency of hacks had more than doubled over that period, from 43 breaches in 2016 to 91 last year.
Cybercriminals also seem to be getting bolder, with the number of attacks against large organizations spanning multiple states increasing.
Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid.
Without access to patient records and other hospital programs, including drug distribution systems, doctors and nurses effectively treat patients in the dark.
Nearly half (44%) of ransomware attacks disrupted healthcare delivery, with one in 10 resulting in canceled appointments or operations and 4% causing ambulance hijackings.
In total, the medical records of 41.9 million Americans were accessed during this time, but hackers have become much more adept at obtaining patient information.
In 2016, around 1.3 million records were consulted, compared to more than 16.5 million in 2021, an 11-fold increase.
Across all 374 attacks, about one in five healthcare organizations would have been able to restore data from backups.
But for 16% of ransomware attacks, there was evidence that ransomware actors made some or all of the stolen medical information public, usually by posting it to dark web forums.
Of the hacks over the past five years, 9% caused disruptions that lasted two weeks or more.
Still, the researchers say the true numbers of cyberattacks “are likely underestimated due to underreporting.”
Guidelines from the Department of Health and Human Services (HHS) state that healthcare providers must report a ransomware attack if more than 500 people are affected.
But the researchers warn that there is confusion over whether hacks should be reported through official channels when they involve the encryption, but not the actual deletion, of data from computer systems.
Writing in the minutes, they said: “Furthermore, the current reporting requirements lack either an enforcement mechanism or a penalty for non-compliance.”
“Even when an entity reports an attack, there is no penalty for doing so outside the legal 60-day window, which may explain the high proportion (53.5%) of ransomware attacks with delayed reporting.
“Rather than healthcare organizations self-correcting as ransomware attacks become more common, we have seen an increase over time in the share of late-reported attacks.
“Missing attacks and late reports suggest opportunities for lawmakers who want to strengthen data collection on cyberattacks, especially ransomware, to shape an informed and well-targeted policy response.”
Origin: | This article originally belongs to Dailymail.co.uk