Ransomware attacks are serious business for hackers―and often completely avoidable. Hospitals and health care systems, now in the business of collecting patient data as a side effect of treating physical maladies, struggle to keep that information secure.

While there’s no ransomware-specific cost estimate to the health care business, Verizon’s annual Data Breach Report for 2018 estimates that ransomware is included in 85 percent of the successful malware attacks against hospitals. Cybersecurity researchers at Cylance estimated that the number of ransomware attacks tripled in 2017. And researchers at the Ponemon Institute estimated in May 2016 that the annual cost of health care breaches was $6.2 billion per year.



READ MORE FROM ‘NO PANACEA FOR MEDICAL CYBERSECURITY’

Why health care cybersecurity is in ‘critical condition’
Triaging modern medicine’s cybersecurity issues
How to recover from a health care data breach
How weak IoT gadgets can sicken a hospital’s network
To prevent EHR breaches, stop using them (Q&A)
Opinion: Who foots the bill for medical IoT security?


A 2018 Ponemon report concluded that hospitals shell out $408 per compromised record, three times higher than any other industry—and the highest in its study’s 13-year history. Ponemon says each breach costs health care organizations an average of $3.7 million, though an Accenture report says that figure could be as high as $113 million.

The financial ramifications of a health care system breach, however high, don’t necessarily account for the costs to patients and doctors in delayed or diminished care. Patient data, which can include financial information, insurance information, scans of identification cards, home and work addresses, emails, phone numbers, Social Security or other national identification numbers, and health information, is more valuable to hackers than any other information record stored by any other major business, and statistics show that ransomware continues to be a growth industry for cybercriminals.

To give you a clearer picture of how pervasive the problem has become, we’ve outlined in this timeline publicly acknowledged ransomware attacks against hospitals and patient care clinics over the past three years. (We’ve excluded ransomware attacks against research labs, health care support companies such as those that make electronic health record systems, and government agencies, as well as successful breaches that have not used ransomware.)

Be sure to check out the rest of our special coverage on the state of medical security.