The rising tide of ransomware attacks in healthcare is exacting a hefty price from hospitals and other medical providers who’ve had their data locked up by cyberattacks. Healthcare providers face potential costs arising from more than just the initial ransom; targeted systems have seen lost patient revenue, the need for remediation, and additional recovery costs. And even the largest health systems in the country aren’t immune to the costly ripple effects, such as delayed patient care, including surgeries, that can linger even after an initial attack. “Not only is the frequency [of ransomware attack] picking up, but I’d say the magnitude or the size is also getting bigger,” said Brian Tanquilut, a healthcare services analyst at Jefferies. CommonSpirit Health, one of the nation’s largest hospital chains, was hit with a high-profile cyberattack in October. The system has not publicly disclosed the financial fallout, but a Dec. 1 update published on the company’s website said that the cyberattackers gained access to personal information for some patients and that an investigation is ongoing. Chad Burns, a spokesperson for CommonSpirit, declined requests for an interview.

Ransomware can cost hospitals millions—and then some

Sliding scale

According to one expert who spoke to Healthcare Finance, healthcare organizations typically only devote 4%–7% of their IT budget to cybersecurity. In many cases, only a fraction of the cost of ransomware is attributed to the ransom itself. On average, the average payment for healthcare-related ransoms is roughly $197,000—the lowest for any sector, according Sophos’s ransomware report. “It seems that the bad guys actually have a sliding scale depending upon the size of your organization,” Riggi said. “The initial demand can range anywhere from $1 million for a small hospital all the way up to…tens of millions of dollars for a large health system.” Cyberattackers can also raise their price to gain negotiation leverage.

No easy solutions

The AHA strongly discourages paying a ransom, Riggi said. As IT Brew has noted, there’s even a risk of violating the law, if the payment is going to any bad actors determined by the Treasury Department’s Office of Foreign Assets Control (OFAC), even when ambiguity arises. In March, President Joe Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which aims to ensure cyberattacks and ransomware payments are reported in a timely manner so the federal government can provide assistance. But Moore, whose firm worked with OrthoVirginia to provide cybersecurity services after ransomware attack, said he’s not optimistic that the new law will reduce the problem of ransomware attacks in healthcare. “The quickest solution is to stop paying ransom,” Moore said. “This is easier said than done if you are an organization that is unable to function because your data is encrypted.” Subscribe to the Healthcare Brew newsletter to stay up to date on the latest industry news and trends.

By Michael Schroeder

January 11, 2022

Amelia Kinsinger

A report from the cybersecurity firm Sophos determined that “the average remediation cost [from a ransomware attack] went up from $1.27 million in 2020 to $1.85 million in 2021.” For others, it’s much more costly. Tenet Healthcare, a Dallas-based healthcare company, reported a loss of about $100 million attributed to a ransomware attack in April, according to its second-quarter earnings report. San Diego-based Scripps Health said a ransomware attack cost it nearly $113 million in May and June 2021 primarily due to lost revenue, along with recovery costs. “Hospitals immediately incur significant financial cost due to the interruption, potentially, of care delivery services,” said John Riggi, national advisor for cybersecurity and risk at the American Hospital Association. Overall, ransomware attacks have likely led to billions in losses for healthcare systems, said Jon Moore, chief risk officer and head of consulting services for Nashville-based healthcare cybersecurity firm Clearwater. The cost goes beyond financial losses, too—patient safety might be compromised. One woman is suing an Iowa health system for a medication dosage error she says was tied to a ransomware attack at the hospital where she had taken her son.

“Not only is the frequency [of

ransomware attacks] picking

up, but... THE magnitude or the size

is also getting bigger.”

OrthoVirginia, the state’s largest orthopedic care provider, experienced a ransomware attack that was detected in February 2021. It was hit with a $6 million ransom that grew to $10 million, said Chief Information Officer Terri Ripley. Ripley said OrthoVirginia ultimately didn’t pay the ransom, but temporarily shut down its IT systems to keep cyberattackers from encrypting more files and called in their cyber insurance’s forensics team to analyze what happened.

The rising tide of ransomware attacks in healthcare is exacting a hefty price from hospitals and other medical providers who’ve had their data locked up by cyber attacks. Healthcare providers face potential costs arising from more than just the initial ransom; targeted systems have seen lost patient revenue, the need for remediation, and additional recovery costs. And even the largest health systems in the country aren’t immune to the costly ripple effects, such as delayed patient care, including surgeries, that can linger even after an initial attack. “Not only is the frequency [of ransomware attack] picking up, but I’d say the magnitude or the size is also getting bigger,” said Brian Tanquilut, a healthcare services analyst at Jefferies. CommonSpirit Health, one of the nation’s largest hospital chains, was hit with a high-profile cyberattack in October. The system has not publicly disclosed the financial fallout, but a Dec. 1 update published on the company’s website said that the cyberattackers gained access to personal information for some patients and that an investigation is ongoing. Chad Burns, a spokesperson for CommonSpirit, declined requests for an interview.

have a sliding scale depending upon

“It seems that the bad guys actually

the size of your organization.”

depending upon the size of

actually have a sliding scale

“It seems that the bad guys

your organization.”

of your organization.”

depending upon the size

actually have a sliding scale

“It seems that the bad guys

Hospitals are paying the price for cyberattacks.