Ransomware Attacks in Healthcare Are Increasing, Creating Longer Recovery

October 10, 2024 ‐ HealthLeaders Media

By Jay Asser

Cybersecurity has become a major pain point for CEOs in 2024 as the number of incidents have gone up.

Ransomware attacks on healthcare organizations have hit a four-year high since 2021, with two-thirds of companies saying they were impacted in the past year, according to a survey by security solutions firm Sophos.

While ransomware attacks tracked by Sophos across all sectors dropped from 66% in 2023 to 59% in 2024, healthcare trended in the opposite direction as 67% of organizations reported being affected this year versus 60% in 2023. For comparison, only 34% of companies were hit by an attack in the firm’s 2021 report.

This year’s survey is based on responses from 402 healthcare organizations across 14 countries, conducted from January to February.

The findings also revealed that the recovery time for companies after suffering a ransomware attack is getting longer. Fully recovering in a week or less was only possible for 22% of respondents, which was a significant decline from 47% in 2023 and 54% in 2022. More than a third of organizations (37%) needed more than a month to recover, an increase from 28% in 2023.

“The highly sensitive nature of healthcare information and need for accessibility will always place a bullseye on the healthcare industry from cybercriminals,” John Shier, Sophos field chief technology officer, said in a statement. “Unfortunately, cybercriminals have learned that few healthcare organizations are prepared to respond to these attacks, demonstrated by increasingly longer recovery times.”

It’s getting costlier for companies to be vulnerable to cyberattacks. Even excluding ransom payments, respondents reported a mean cost of $2.57 million to recover from a ransomware incident, nearly doubling the cost of $1.27 million from 2021. The mean cost has steadily climbed since then, hitting $1.85 million in 2022 and $2.2 million in 2023.

CEO perspective

With the pressure rising expenses are putting on bottom lines, CEOs can ill afford to be unprepared for a cyberattack.

Yet 37% of respondents working at healthcare organizations report not having a cybersecurity response plan in place, a recent survey by Software Advice found.

Preventative measures like having the right people with relevant knowledge and experience in positions to oversee security is necessary, but so is having a response plan to deal with the fallout of an attack.

New Cedars-Sinai CEO Peter Slavin recently highlighted why cybersecurity should be firmly on the radar of executives on the HealthLeaders Podcast.

“It’s incumbent on all CEOs in healthcare and other industries to be vigilant on this front, to make sure that there are tons of people in place managing that vigilance on a day-to-day basis, and that function is appropriately resourced,” Slavin said. “All organizations just need to do their best to try to prevent such a catastrophe from happening.”

Jay Asser is the CEO editor for HealthLeaders.

Be the Expert! Share this: