“Cyberattacks on health systems are on a steady rise, and their costs are mushrooming. Experts said there are a variety of reasons for the increase, including that criminals are getting more advanced and more aspects of health care are online.
When a cyberattack struck Sky Lakes Medical Center, a community hospital in southern Oregon, in late October 2020, its computers were down for three weeks. The most mundane tasks became arduous. Nurses had to check on critical patients every 15 minutes in case their vital signs changed. Doctors scribbled down their orders and the swelling mounds of paper took over whole rooms. In three weeks, the hospital ran through 60,000 sheets of paper.
Sky Lakes had to rebuild or replace 2,500 computers and clean its network to get back online. Even after it hired extra staff, it took six months to input all the paper records into the system. In total, John Gaede, Sky Lakes director of information services, says his organization spent $10 million — a big expense for a nonprofit with roughly $4.4 million in annual operating income (the organization did not pay a ransom).
For hospitals with limited budgets, there are questions about how well they can protect themselves. The attack on Sky Lakes was part of a wave of attacks in 2020 and 2021 connected to a criminal group in Eastern Europe.
“Our budgets typically have a margin of maybe 3 percenta year,” Gaede said, “but we’re supposed to compete with nation-state actors?”
Health data is lucrative on the black market, making hospitals a popular target. Plus, if a health system has ransomware insurance, criminals may think they’re guaranteed a payout. Ransomware ties up hospital records in encrypted files until a fee is paid.
“Back when ransoms were $50,000, it was cheaper to pay them than to deal with a lawsuit that would have cost far more,” says Omid Rahmani, associate director at Fitch Ratings, a credit rating agency, adding that ransoms now cost millions. “The landscape’s changed and because of that the cyber insurance side has changed — and that’s really connected to the rise of ransomware.”
In its annual cost of a data breach report, IBM writes the global average cost of an attack on a health system rose from about $7 million to over $9 million in 2021. But remediating these violations in the U.S. can be far more expensive.”