In 10 years of ransomware attacks, what has changed and what hasn’t?

Just two months into 2016, the healthcare sector found itself the sudden prime target of ransomware actors. Cyberattacks and data breaches were not abnormal for the industry at the time, but the previous handful of ransomware attacks were highly targeted, and the most publicized incidents often came with direct political and social motivation. 

But when Hollywood Presbyterian Hospital in Los Angeles announced it was operating with just pen and paper processes with no network access in mid-February 2016, the industry took notice. Hackers demanded a ransom of 40 bitcoin, or $17,000, to return access to the data and restore network access. 

And after 10 days of operating with paper records and care diversion procedures, officials paid the ransom – “as it was the quickest and most efficient way to restore” the systems.” 

Over the next two months, a Kentucky hospital, two Ottawa hospitals, and the largest health system in Washington, DC fell victim with ransomware and it became abundantly clear that ransomware was not just a passing threat but a fixed problem in healthcare (and in other industries). 

In the first year alone, ransomware made up 40 percent of malicious spam emails across all sectors, with one in two business executives reporting to have experienced a ransomware attack at the workplace, according to a 2016 IBM X-Force report. For healthcare, ransomware accounted for 72 percent of their malware attacks in 2016. 

In the 10 years since, ransomware has evolved its tactics from spray and pray to highly targeted attacks, with a particular focus on targeting the weakest link: humans. Each year, these cybercriminals, including nation state actors, preyed on healthcare and other critical infrastructure organizations in force.  

In healthcare, it was clear these actors were hellbent on disrupting healthcare operations for quick payment. Some tried and true tactics dominate the threat landscape even today, with human error and vulnerabilities remaining the key access points for the majority of cyberattacks – although targeting third-party vendors and other stakeholders are far more problematic under today’s landscape. 

Ransomware actors, the threats, and stakes have grown exponentially each year, heightened by the global pandemic and continued rapid expansion of the digital health ecosystem. It begs the question: in these 10 years, what has changed and what hasn’t? 

The data breaches have grown larger, the cost of recovery and outages is well over $1 million per day of downtime, the average downtime lasts about four weeks, and despite our best efforts, many of the same challenges that existed in 2016 persist today. 

Awareness has grown, absolutely, but the chasm between the haves and have-nots in healthcare haven’t done the same. 

Over the course of this year, CHIME and DHX will look back on these changes with support from industry leaders and our own National Cyber Advisor Lisa Gallagher to take stock of what’s changed in healthcare cybersecurity – for the good and bad, and where we need to do better as an industry to support entities with resource challenges. 

This first piece examines how healthcare landed in the crosshairs of cybercriminals and the evolving landscape to see how threat actors have shaped and tested their tactics on the sector. 

Ransomware: Origins of healthcare targeting and early breach reporting hiccups 

Ransomware is a simple malware that encrypts files and documents, as well as entire networks and servers with relatively minimal effort from the threat actor. It starts with someone clicking on a link, or a hacker gaining access to the network from a backdoor and/or vulnerability and deploying the payload manually. 

Hollywood Presbyterian was certainly not the first ransomware incident in healthcare. However, it became a wakeup call for the sector that, as now most delivery organizations had fully digitized their records thanks to Meaningful Use, threat actors were watching and prime to attack those connected systems for a payout. And with time, cybercriminals would evolve their tactics for greater impact. 

An April 2016 Symantec report that examined the rise of ransomware and sophisticated tactics, as well as organized criminals, warned that ransomware rapidly developed and expanded in 2015, growing by 35 percent over the course of the year. In fact, ransomware attacks rose a whopping 300 percent in 2016, according to a mid-year 2016 Cybersecurity Ventures report. 

These cybercriminals adopted best practices for their business and enabled the explosion, likely leading to the rapid rise in successful attacks seen in 2016. The healthcare sector accounted to 16.6 percent of the 245.2 million stolen records since 2015, according to a 2016 Identity Theft Resource Center report. 

In its early days, ransomware was considered more of a straight monetary transaction – not necessarily as a mechanism to disrupt. For Hollywood Presbyterian, however, the incident seemed to be a random choice by the attackers, while previous ransomware attacks used to disrupt services were primarily launched by hacktivists, including a DDoS attack against Boston Children’s by Anonymous in 2014. 

For Hollywood Presbyterian, officials declared a state of emergency and employees are reverted to paper and faxes to communicate. The incident shook the industry and began a steady onslaught of attacks throughout the year, highlighting infrastructure weaknesses – including swathes of unpatched, legacy systems. 

Once encrypted with ransomware, victims have just a few options: pay the ransom, find a free decryption key, restore systems to a previous version and restore data from backups, or even wipe everything and begin again. Especially in the early years of targeted ransomware attacks, the actors would increasingly apply the pressure to pay, while the organizations, if they did not have backups, had little other choice than to pay the ransom to restore the data – and normal operations. 

The simple attack was, more often than not, successful – with 70 percent of businesses hit by ransomware in 2016 admitting they paid the hackers to regain access to system and data, according to a 2016 IBM X-Force’s Ransomware report. 

Of those attacked, 20 percent paid over $40,000 to retrieve data, while more than half paid more than $10,000. And almost 60 percent of business leaders said they’d be willing to pay the ransom to regain access to financial records, intellectual property, business plans and consumer data.  

For the first several years, security experts, the FBI, and other stakeholders urged organizations to not pay the ransom as it continued to fund the cybercriminal operations. But for healthcare and other sectors, losing that type and amount of patient data and access to critical technology saw many paying the demand to maintain patient care. 

In the last few years, however, even with the rise in data exfiltration and extortion, far fewer organizations admitted they paid the ransom demand. 

In fact, ransomware was such a new concept as a disruptive threat that most victims from the healthcare sector did not know how, or if, to report the incident to the Department of Health and Human Services as a data breach. 

HHS issued an FAQ in August 2016 that confirmed provider organizations were responsible proving that ransomware infections did not cause a lack of access or loss of data. The notice was issued over concerns about the lack of clarity in the Health Insurance Portability and Accountability Act for ransomware and its complicated impacts. 

“Whether or not the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination, according to HHS in 2016. “A breach under the HIPAA Rules is defined as, ‘…the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.’” 

“When electronic protected health information is encrypted [by] a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired,” the notice continued. As such, [ransomware] individuals have taken possession or control of the information and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.” 

In short, unless the impacted entity can demonstrate a low probability that the data was compromised, the incident needed to be reported as a breach to HHS. The confusion prior to the HHS notice caused many of the successful ransomware attacks in 2016 to go unreported to HHS. 

US Department of Justice data showed that over the course of 2016, over 4,000 ransomware attacks occurred each day across all industries. For healthcare, more than 27 million healthcare records were stolen in 2016 across 450 reported data breaches — 26.8 percent of these were caused by ransomware, hacking or malware, according to a 2016 Protenus report. 

And yet, only nine healthcare organizations reported malware or ransomware breaches to OCR in 2016. However, the HHS notice improved breach reporting moving forward. 

A 2024 report published in JAMA shows the clear jump in ransomware prior to 2016 and after; the largest impacts were seen in 2021, tied to the global COVID pandemic. 

The same JAMA report found: 

• 374 ransomware attacks on US health care delivery organizations were reported from January 2016 to December 2021 
• The protected health information of nearly 42 million patients was compromised during this time 
• From 2016 to 2021, the annual number of ransomware attacks more than doubled from 43 to 91 
• 44.4% of these ransomware attacks disrupted the delivery of healthcare, including electronic system downtime, cancellations of scheduled care and ambulance diversion (16 [4.3%])

These ransomware attacks:  

• Increasingly affected large organizations with multiple care facilities, exposing the PHI of more patients 
• Were less likely to be restored from data backups 
• More frequently exceeded mandatory reporting timelines  
• Were associated with delays or cancellations of scheduled care 

By the end of 2016, healthcare data breaches were no longer the primary concern for providers, as the sector saw the largest jump in ransomware attacks than in any other industry, 

The face of cybercrime is changing. Healthcare has gone from a declared mission of stealing personal data to much more disruptive issues. In fact, healthcare saw the largest jump in ransomware attacks than in any other industry. 

With the majority of healthcare records now connected to the internet, threat actors can now remotely steal data for nefarious purposes. While healthcare did not top the list for the number of incidents or breaches in 2016, the following years saw those numbers quickly spike – and with it, mass disruptions. 

Further, healthcare has always topped the list for the ratio of incidents to breaches – meaning, the number of actors attempting to gain access to networks are often more successful than not.  

Healthcare is interconnected on purpose, and its troves of sensitive business and patient information have kept the industry in the crosshairs for the last decade. Technical challenges, like visibility, remain a constant problem to solve. But key incidents have shaped the industry’s response to the threat, as well as the urgency. 

This report is part of a year-long retrospective on the evolution of healthcare cybersecurity and ransomware over the last decade of targeted attacks. Follow CHIME and DHX on LinkedIn to make sure you don’t miss the next chapter: Are we resilient yet? A hard look at a decade of cyberattacks that shaped healthcare.