More than half of hospitals hit with ransomware in last 12 months

New research by Healthcare IT News and HIMSS Analytics found considerable uncertainty, questionable business continuity plans, and the need for more effective end-user education rampant in the industry. 
By Tom Sullivan
07:52 AM
Share

As many as 75 percent of U.S. hospitals responding to a poll this week could have been hit with ransomware in the last year, according to the new Healthcare IT News and HIMSS Analytics Quick HIT Survey: Ransomware, and a chunk of those might not even know it. 

“Over half the people we polled indicated that they had some sort of ransomware attack,” said Brendan FitzGerald, HIMSS Analytics Research Director for Advisory Solutions.

What’s more, another 25 percent are either unsure or have no way of knowing whether ransomware attacks were perpetrated against them or not.

Taken together, that means approximately 75 percent of responding healthcare entities either were or could potentially have been targeted with a ransomware attack.

While numerous, very few ransomware attacks have been successful to date — which explains why only a handful catch the public’s attention.

Some 50 percent of respondents, in fact, said they are unsure or have no way of knowing if they managed to find such attacks. 

[Special Report: Tips for protecting hospitals against ransomware as attacks surge]

How ready are hospitals for a ransomware attack, should it succeed and their data or systems be encrypted?

“Seventy three percent of the health systems we surveyed have a business continuity plan in place, so if something happens they are prepared to address it,” FitzGerald said.

Of the remaining 26 percent, only 3 percent answered that they are unsure, while 23 percent said they do not have a business continuity plan in place should a ransomware attack occur. 

“When asked if they would pay the ransom, almost half said they are unsure," FitzGerald said. "That calls into question how solid those plans really are when dealing with ransomware.”

The reality is that many hospital executives cannot easily know up-front whether they will pay or not.

That decision will be determined by various factors, including the scale of the attack, when it was detected, how quickly the business continuity plan kicked in, how widespread the encryption is, and when exactly the last data back-up occurred.

“Some organizations back up data daily. But when you’re talking about an entire health system, there’s no guarantee that the data will get backed up every single day,” FitzGerald said. “Even daily backups can be hit or miss in terms of what kind of data is included, be that lab results, images, or other types.”

“There has been a lot of industry literature around whether or not to pay the ransom, most of it recommending not to,” FitzGerald said. “I think as a last resort there’s that potential to pay a ransom.”  

Meaning choosing whether or not to pay the ransom is most likely going to be a game day decision.

To avoid being in that position in the first place, FitzGerald recommended that healthcare executives concentrate on educating end-users above all else because prepared employees, even more than whiz-bang security tools or more frequent back-ups, will be the biggest deterrent to hackers getting in.

“Moving forward,” FitzGerald said, “it’s going to be interesting to see how organizations respond to this.”

Healthcare IT News and HIMSS Analytics are collaborating on Quick HIT pulse-of-the-market studies to highlight hot button issues across the healthcare IT landscape. This survey comprised 61 responses including answers from CIOs, chief information security officers, IT-director level and above. 

Twitter: SullyHIT
Email the writer: tom.sullivan@himssmedia.com


Like Healthcare IT News on Facebook and LinkedIn