Everything You Need to Know About Cyberattacks on US Hospitals

Posted on Nov 3, 2022 by Julia Olech

When we talk about cyberattack damages, we often calculate them in terms of monetary damages, reputational loss, and general inconvenience. However, when it comes to hospital cyberattacks, the repercussions could be much more deadly. 

Hospitals are a common target for digital attacks as they hold a lot of extremely valuable patient data. They’re also very easy to attack as, despite the fact they need extra security to protect vulnerable patient data, they often lack the funds to implement strict safety measures.

Though the situation has been bad for a while now, COVID-19 put US hospitals at the bull’s eye on cybercriminals’ dartboard. We saw over 40 million US patient records compromised in 2021 alone. This paints a rather gloomy picture for the future — unless we take appropriate measures to limit exposure to attacks.

So, just what damage do cyberattacks cause for US hospitals? Let’s look into the causes and consequences of the increasing risks healthcare cybersecurity faces

How Widespread Are Hospital Ransomware Attacks?

Ever since the first hospital ransomware attack in 1989, healthcare cyberattacks have been spreading like wildfire — picking up the pace during the COVID-19 pandemic. What started out as an attack carried out by an opportunist very quickly turned into a severe threat to the entire healthcare industry. 

According to The Guardian, 41% of global hospital ransomware attacks affected US healthcare companies in 2021. HIMS reported that just 600 known breaches exposed over 40 million patient records. This amounts to more than 22.6 million customers affected in 1 year alone. Possibly the most severe attack of all, Accellion FTA, locked the data of more than 3 million people in one go. 

Why do cybercriminals target hospitals specifically? Research suggests 61% of affected hospitals pay ransom to restore access to their systems. It’s an extremely high possibility hackers get what they want — which can be anything from $250,000 to $5 million. 

Ransomware is also very easy to distribute across multiple institutions at the same time. For example, Universal Health Services suffered a ransomware attack in 2020 which locked the systems of over 400 hospitals in the US, Puerto Rico, and the UK. Despite the healthcare giant having all the IT resources it needed, it still took over a month to restore everything back up. 

Phishing Is Commonly Used to Distribute Ransomware to Healthcare Systems 

Phishing is a malicious method of obtaining system credentials using fake and deceitful messages. 

Attackers often use phishing to redistribute ransomware and other types of malware with ease. A busy nurse, doctor, or other healthcare professional often lacks time to carefully check whether an email is legitimate. So, if they see a message saying their staff password is about to expire, they’re more likely to click on a malicious link and download ransomware.

The numbers confirm this. BMJ Health & Care Informatics studies showed a US hospital can receive as many as 100,000 phishing emails every year. The outbreak of the pandemic also caused a 700% surge in phishing attempts, increasing its success rate simply by chance. 

What Happens During A Cyberattack on Hospitals?

A hospital’s cyberattack exhausts not only the digital resources, but also medical staff

In a hospital cyberattack, attackers gain unapproved entry into hospital databases for one of two reasons: to steal valuable data or to cause huge disruptions to internal systems. 

Medical records hold the highest value on the dark web, with an average price tag of $250 per file. The next most valuable record is credit card data, but attackers can sell it for only $5 max. This means a cyberattack on hospitals can bring in substantial revenue — even if hackers steal just a small percentage of its records.

Another reason for ransomware attacks on hospitals is to lock whole hospital systems or just specific departments, crucial for the continuous running of healthcare. This often forces doctors to turn to the traditional use of pen and paper and use their memory to remember a patient’s meds. Doing so heavily slows down medical procedures — and oftentimes delays or stops much-needed treatments, like chemotherapy, transplants, or testing.

The longer the system downtime, the worse the repercussions, especially for small and mid-sized hospitals. Since they’re not mature enough to detect threats in a timely manner, they usually experience downtime of 10h, on average. Each hour brings around $45,700 in losses, which very often causes smaller establishments to file for bankruptcy and shut down.

Large healthcare companies put more budget into employing IT experts, so they face only 6h of downtime and $21,500 of cyber-related costs per hour. That said, it’s still a scary amount.

The difference is linked directly to rebuilding their revenue after an attack. Ransomware often disrupts billing, delaying the income small and mid-sized hospitals rely on for survival. Most cyberattacks have long-term effects on businesses too, as it takes time and effort to rebuild the systems and recover any lost data. 

Aside from immediate costs of recovery, US hospitals also face hefty fines and lawsuits which often follow after an attack. The exact fine a hospital (or any other US business) receives differs by state. For example, CCPA can fine healthcare companies in California up to $7,500 per lost record. That’s excluding any compensation the hospital would have to cover as part of a patient lawsuit. 

How US Hospitals Can Prevent Cyberattacks

Only 4-7% of the healthcare IT budget is spent on cybersecurity, so it’s not surprising hospitals regularly experience attacks. It’s important for healthcare managers to focus on prevention methods and stop malware infection before it happens. These include (but are in no way limited to):

    📌 Cybersecurity training for the staff, at least once a year.
    📌 Password expiry policies, so staff has to change their login details regularly.
    📌 Multi-factor authentication
    📌 Restricting or banning the use of personal devices at work.
    📌 Firewalls on internal networks that detect and stop unauthorized access.
    📌 Email scam detection, so malicious messages don’t trick medical staff
    📌 Regular updates for system software and for any medical devices connected to the internet.
    📌 Separating the network into smaller systems to avoid whole network lockdowns and life-threatening situations.
    📌 The “3-2-1” approach — save 3 copies of each medical record in 2 different formats, including 1 offline.
    📌 A quick response plan to be followed in the event of a cyberattack.
    📌 Using preventative software, like antivirus and VPNs.

As a patient, you can also limit your exposure to ransomware attacks. Remember, these won’t stop the attacks from happening at your hospital, but they could prevent hackers from gaining access to easy entry points by using your credentials or other medical data leaks.  

    🔐Use password managers to create strong combinations and remember your login.
    🔐 Change your passwords regularly.
    🔐 Use multi-factor authentication for your medical logins.
    🔐 Never share your login credentials.
    🔐 Don’t click on phishing links or open dodgy emails.
    🔐 Keep your devices and apps up-to-date.
    🔐 Report any suspicious messages or activity in your medical profiles.
    🔐 Encourage hospital management to improve cybersecurity.

A reliable VPN is also a great addition to your security when accessing your medical records on your phone or PC. PIA uses military-grade encryption which scrambles your data during transit and makes it unreadable to hackers. 

Our Kill Switch is a must if you’re browsing the web at the hospital as it makes it impossible for your traffic to accidentally leak your information on an unsecured Wi-Fi. 

Better yet, you can secure your medical data with PIA without any risk as all our subscription plans come with a 30-day money-back guarantee. 

Cyberattacks on Hospitals Won’t Slow Down Just Yet

Nothing indicates that cybercriminals will stop targeting US hospitals anytime soon. Our main hope is for healthcare companies to put more focus on training staff, and on protecting their systems and your most vulnerable details. 

While you can’t singlehandedly fix the issue, don’t add to the fire when you’re using hospital networks or logging into your medical profiles. Connect to PIA to protect your data when you log into healthcare accounts over the internet. And don’t forget to campaign and remind administrative hospital staff that cybersecurity is also a duty of care.


Are hospitals vulnerable to cyberattacks?

Yes. Most medical devices aren’t built with cybersecurity in mind. This means they create entry points hackers can leverage to break into a hospital’s network.

Hospital records can be sold for $250 on the Dark Web. All healthcare organizations depend on constant access to their systems, so they’re also more likely to pay the ransom without negotiating. 
Selling medical records and/or ransomware payments rack up extremely high profits for malicious groups, even if they target really small hospitals. 

How many US hospitals have suffered from cyberattacks?

At least 50% of US hospitals have suffered a cyberattack, according to CyberMDX. In 2021, US hospital cyberattacks reached an all-time high, increasing to 679 attacks in one year and compromising the data of over 40 million patients. This includes medical reports, personal data, as well as general upkeep of medical care. 

Though hackers’ main interest lies in patients’ PII, nation state attacks are common in healthcare. Evidence suggests cybercriminals from countries like Russia and Vietnam regularly perform US hospital cyberattacks in order to halt medication production or steal edge-cutting research. Many medical companies hire hackers to perform cyberattacks on hospitals too, so they can release their products before their competition. 

Are cyberattacks in healthcare common?

Yes, and the odds of a hospital experiencing a cyberattack are growing. In 2020 and 2021, Pew Research recorded at least 168 ransomware attacks on 1,763 hospitals and clinics across the US. This isn’t a definite number, though, as many healthcare businesses don’t publicly share when they experience a cyberattack to protect their reputation and patients. 

Sadly, you can’t do much to protect your data in the case of a hospital cyberattack. It’s entirely on healthcare organizations to put appropriate security measures in place to stop ransomware attacks from happening. However, you should encourage hospital management to protect your most vulnerable information. 

Can patients die from cyberattacks on hospitals?

Though it’s very rare, a recent Ponemon Institute study found hospital cyberattacks can increase mortality rates. Hospital processes experience significant delays as a result of cyberattacks. However, we’ve had only two reports of “death by a cyberattack” so far — and one of them took place in the US. 

It’s highly likely this problem will become worse as cyberattacks are expected to skyrocket until at least 2030. If hospitals want to protect their databases and patients, they have to start investing in tough cybersecurity measures now