Researchers at the University of Minnesota have looked at the effects of ransomware attacks on hospitals and patients. They found that, unsurprisingly, ransomware is bad news for people who are in hospital already, or admitted to hospital, during an attack.

Hospitals rely on interconnected electronic systems to organize data and deliver care. This makes them extremely vulnerable to cyberattacks in general, and especially to ransomware attacks. At the same time, hospitals are attractive targets for ransomware groups because threatening to leak stolen financial and medical information can give them extra leverage during ransom negotiations.

Because hospitals rely so heavily on computer systems, disruptions to their systems can have a significant effect on patient care, and almost always lead to less critical care being postponed. However, it has been hard to quantify how bad the impact is.

To get a better understanding, the researchers created a novel dataset of ransomware attacks on healthcare providers and linked it to fee-for-service Medicare administrative claims data. This allowed them to compare outcomes before and during ransomware attacks across hospitals.

They showed that:

• Hospital capacity decreases by as much as 25% during the first week of an attack.
• Mortality rates for patients already in hospital increase by up to 55%.

Reportedly, ransomware attacks decrease hospital volume by 17%-25% during the initial attack week. Although some of the decreased volume is absorbed by other hospitals nearby, some of it results in postponed care.

In-hospital mortality for patients already hospitalized at the time of an attack increases by between 1.28 and 1.87 percentage points, which represents a 36-55% relative increase when compared to the pre-attack mean.

Earlier studies showed similar results:

In normal times, roughly 3 in 100 hospitalized Medicare patients will die in the hospital. During a ransomware attack, that number goes up to 4 out of 100. From 2016 to 2021, we estimate that ransomware attacks killed between 42 and 67 Medicare patients.

Although it’s hard to establish which patients have died as a consequence of a ransomware attack, it’s clear that ransomware attacks on hospitals create otherwise avoidable deaths.

We don’t expect this knowledge to have any impact on the behavior of the ransomware groups. As we have reported previously, not only are ransomware groups happy to target hospitals, some have even singled it out for special attention.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.