Skip to content
Compliance & Risk

Ransomware attacks against healthcare organizations nearly doubled in 2021, report says

Melissa D. Berry  Lead Compliance Attorney Editor / Regulatory Intelligence / Thomson Reuters

· 5 minute read

Melissa D. Berry  Lead Compliance Attorney Editor / Regulatory Intelligence / Thomson Reuters

· 5 minute read

Ransomware attacks against healthcare companies are increasing, leaving hospitals and other care facilities' data vulnerable to cyber-hackers' demands

Two-thirds (66%) of healthcare organizations were hit by ransomware attacks last year, up from 34% in 2020, according to a new report from cybersecurity firm Sophos. The near-doubling of cyber-incidents demonstrates how attackers have become “considerably more capable at executing the most significant attacks at scale.”

Because healthcare organizations are so heavily dependent on access to data — such as patient records — to maintain their operations, they are a frequent target for ransomware attacks. Even a short delay in access to records can result in negative outcomes for patients.

A full 61% of the healthcare organizations that reported ransomware attacks had their data encrypted during the event, according to the Sophos report, The State of Ransomware in Healthcare 2022. This was slightly better than the 65% encryption rate across all industry sectors worldwide, “indicating that healthcare was better able to stop data encryption in a ransomware attack,” Sophos said, noting that it also is an improvement from the 65% encryption rate in healthcare in 2020.

The report findings are based on an independent “vendor-agnostic” survey of 5,600 information technology professions in medium-sized organizations, including 381 healthcare respondents across 31 countries.

The report also showed an improvement in the rate of extortion-only attacks to just 4% in 2021, compared to 7% in 2020. In extortion-only attacks, the data is not encrypted but the healthcare organization was “held to ransom with the threat of exposing data.” The improvement could be because more healthcare organization have cyber-insurance, “which demands higher cybersecurity defense enhancements.”

The increase in successful ransomware attacks has “affected healthcare more than any other sector,” according to Sophos, which is based in the United Kingdom. Healthcare had the “highest increase in volume of cyber-attacks (69%) as well as the complexity of cyber-attacks (67%)” when compared with cross-sector averages.

Improved ransomware outcomes

Almost all (99%) of healthcare organizations subject to ransomware attacks in 2021 got “some encrypted data back” compared with only 93% in 2020. Within this group, 72% were able to restore encrypted data from backup files; 61% also reported that they “paid the ransom to restore data”; and 33% used other means to restore data. These numbers show that “many healthcare organizations use multiple restoration approaches to maximize speed and efficacy” to restore data and operations. More than half of healthcare organizations (52%) reported using multiple restoration methods, according to Sophos.

Interestingly, 14% of healthcare organizations reported using “three methods in parallel” to restore their data, which was the highest rate across all sectors and double the global average.

However, healthcare organization that paid the ransom to restore their data got back only 65% of their data compared with 69% in 2020. Only 2% that paid the ransom received all of their data, down from 8% in 2020.

Cost of ransomware attacks

Although healthcare tops the list for volume of payments, it is at the bottom for the amount paid with the “lowest average ransom payment” around $197,000 of all sectors. Although the amounts paid were lower than in other sectors, the “overall amount of ransom paid by healthcare in 2021” went up by 33% compared to 2020, according to Sophos.

Only three respondents said their organization paid $1 million or more, according to the report. In contrast, 60% of the ransoms paid were less than $50,000. The lower amounts likely due to the “constrained finances” of healthcare organization, especially those in the public sector, according to Sophos.

Paying the ransom, however, is not the only cost of a ransomware attack. Ninety-four percent of respondents said the ransomware attack impacted their ability to operate and 90% of private sector healthcare organizations responded that the attack “caused them to lose business or revenue.” In fact, the average cost for a healthcare organization to remediate the impact of a ransomware attack went up to $1.85 million in 2021, compared to $1.27 million in 2020. This was the second-highest average cost across all sectors.

It took 44% of healthcare organizations “up to a week” to recover from a ransomware attack in 2021, and 25% took up to a month to recover. The average time for healthcare organizations to recover was one week.

Use of cyber-insurance

Only 78% of healthcare organization reported having cyber-insurance against ransomware, with 46% also saying that here are “exclusions or exceptions in their policies.” Additionally, 93% of healthcare organizations with cyber-insurance reported it was getting harder to secure coverage with 34% saying it was also more expensive. Additionally, healthcare organizations reported the level of cybersecurity required to qualify for coverage was higher, policies are more complex, and fewer companies offer cyber-insurance.

For healthcare organizations with cyber-insurance coverage, 97% that were hit by ransomware and had ransomware coverage report that their policy paid out in the “most significant attack.” More than 80% reported the insurer paid the costs incurred to restore operations; however, only 47% reported that the insurer paid the ransom.