Abstract
Purpose
To characterize the patterns, vulnerabilities, and responses associated with ransomware incidents in U.S. hospitals.
Methods
The study employs qualitative thematic analysis of ransomware incidents in U.S. hospitals from 2016 to 2022. Data were collected from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) public portal, and 65 cases were analyzed using NVivo 14 software.
Findings
Seven major themes emerged: (1) scale of ransomware, with incidents impacting a large number of individuals through diverse methods such as phishing and exploiting server vulnerabilities; (2) extent of protected health information vulnerability, with incidents often compromising sensitive health data, treatment records, and personal identifiers; (3) response and notification protocols, where hospitals demonstrate systematic responses including mandatory notifications to HHS, the media, and affected individuals; (4) implementation of safeguards, where hospitals have implemented immediate and long-term security measures post-attack; (5) investigation and regulatory compliance, where each attack is internally investigated, or with third-parties, while OCR conducts compliance reviews to guide corrective actions; (6) third-party involvement, highlighting the significant role of business associates (BAs) in incidents; (7) victim support and services, where hospitals frequently provide credit monitoring and identity protection services.
Conclusions
The study reveals the increasing prevalence of ransomware attacks targeting hospitals, highlighting significant vulnerabilities and the critical need for enhanced security measures. The findings suggest areas for future research, including the effectiveness of security practices and the long-term impacts on affected individuals.
Similar content being viewed by others
Avoid common mistakes on your manuscript.
1 Introduction
Ransomware attacks, a contemporary form of financial extortion, have become one of the most formidable cyber threats in the digital age [1,2,3,4,5,6,7,8]. This malicious software encrypts a victim’s files, as well as any connected devices or network drives. Once the data is encrypted, cybercriminals demand a ransom in exchange for the decryption key, often preferring cryptocurrency to maintain anonymity and circumvent anti-extortion and money laundering regulations [9,10,11,12]. In recent years, the frequency and sophistication of these attacks have increased globally, particularly affecting the healthcare sector, which is especially vulnerable due to its critical dependence on health information technologies (HIT) for patient data management [6, 9, 13,14,15,16,17,18,19,20,21,22,23,24].
The U.S. healthcare industry has seen a marked increase in ransomware incidents, significantly affecting patient care, data security, and overall institutional operations [8, 25, 26]. As cybercriminals continually develop new ransomware variants [11], the threat intensifies, compelling healthcare organizations to navigate a complex array of technical, legal, ethical, and managerial challenges [11, 27]. Often, these institutions may feel pressured to pay ransoms quickly to restore systems and prevent further damage, thus contributing to the profitability of this type of cybercrime [28]. Hospitals, in particular, which require immediate access to patient data, find themselves acutely vulnerable [28]. The ongoing coverage of this crisis in both the media and academic papers underscores the urgent need for comprehensive strategies to effectively counteract and mitigate the impacts of these cyber threats [3, 7, 29,30,31,32,33,34]. Additionally, third-party involvement, such as business associates and vendors, further complicates the cybersecurity landscape. One critical area often overlooked is the vulnerability of medical devices, which can serve as portals for ransomware attacks. The lack of adequate safeguards for medical devices significantly increases the risk of ransomware attacks and demands immediate attention and robust security measures to protect sensitive health information and ensure the continuity of healthcare services [35].
Previous analyses have examined the impact, vulnerabilities, and responses associated with ransomware attacks across diverse healthcare settings. For instance, Connolly et al. [10] conducted a mixed-methods analysis of 55 ransomware attacks across various sectors in the UK and the USA, revealing that private organizations often face greater severity due to weaker security measures. However, the study does not delve into the unique cybersecurity challenges in the healthcare sector. In contrast, Tewfik and Whitehead [36] highlight the vulnerabilities of hospitals to ransomware, emphasizing the critical nature of their operations and the challenges posed by prolonged network disruptions; they recommend, for example, that anesthesiology departments implement comprehensive downtime management policies for electronic health records. Similarly, Chen et al. [37] focused on the particular vulnerabilities of radiology departments, advocating for robust continuity and recovery plans, including the setup of an imaging command center and the development of continuity of operations plans to enhance departmental and hospital-wide preparedness and response. Furthermore, Damaff et al. [38] explored the extensive impact of ransomware on U.S. emergency departments, illustrating how attacks not only target the hospitals directly but also strain nearby facilities, necessitating regional disaster planning and enhanced systemic resilience against cyber threats. In their qualitative study, van Boven et al. [39] involving healthcare and IT staff, identify significant challenges in patient care continuity, recovery processes, and staff well-being following ransomware attacks, leading to a series of actionable recommendations to fortify cybersecurity measures.
Previous research provides a comprehensive overview of how ransomware affects various facets of healthcare settings, highlighting distinct vulnerabilities and responses. However, a focused analysis exclusively on hospitals within a specific geographical area and temporal context could greatly deepen our understanding of ransomware incidents. Importantly, the limited use of qualitative research methodologies in studying ransomware incidents in U.S. hospitals highlights a critical gap in the literature. There is a noted demand for employing diverse research methods in cybersecurity [40, 41]. Therefore, this study aims to bridge these gaps by conducting a qualitative thematic analysis of ransomware incidents in U.S. hospitals over the period from 2016 to 2022. Our research objectives are to characterize the patterns, vulnerabilities, and responses associated with these incidents, thereby contributing to a more nuanced understanding of their implications.
2 Methods
2.1 Study framework
Our research employs a realist approach to conduct a thematic analysis of government documents, focusing on their explicit content and assumes the text accurately reflects the data thereby focusing our analysis on the clearly indicated and observed content within the documents. This methodology is widely used in healthcare and medical informatics research [39,40,41,42,43]. It involves meticulous reading and rereading of the data to discern both the explicit and implicit meanings within the textual data [44, 45]. Our thematic analysis is inductively driven, enabling themes to emerge naturally from the data without the constraints of pre-existing theories or models. This approach ensures that our analysis remains closely tied to the actual text and its apparent implications [45]. This methodology not only helped us identify explicit and implicit meanings within the textual data but also reveals nuanced, contextual insights that illuminated patterns and trends underlying ransomware attacks [45]. Our research process is summarized in Fig. 1.
Methodological Research Process
2.2 Data collection and analysis
Data was collected from the public portal of the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS). This portal records breaches of unsecured protected health information (PHI) affecting 500 or more individuals, as mandated by the Health Insurance Portability and Accountability Act (HIPAA) [46]. The data, which must be reported by covered entities—including health plans, healthcare clearinghouses, and providers, along with their business associates—reflects the enforcement of the breach notification rule. These entities are required to report any breach affecting 500 or more individuals to the OCR within 60 days of discovery. They must also notify affected individuals and, in some instances, the media [47]. As delineated in the OCR Breach Portal, each breach report mandates a comprehensive dataset at minimum, encompassing general information about the breach, contact details, and details about the covered entity or business associate, and specifics about the breach such as the type, location, the number of individuals affected, and a description of the incident [48].
Our dataset, spanning from 2016 to 2022, initially included 562 reported ransomware incidents. Of these, 65 incidents met our data inclusion criteria: (1) the name of the covered entity in the OCR dataset matched the hospital’s name as listed in the American Hospital Association Annual Survey Database (AHA), which facilitated the identification of sample characteristics such as location, hospital size, ownership, system affiliation, and service type for our thematic analysis [49]. Additionally, (2) the incident descriptions had to contain at least one key term related to ransomware, such as ‘ransom’, ‘malware’, ‘encryption’, phrases indicating the compromise of PHI or electronic protected health information (ePHI), along with the number of individuals affected. Figure 2 illustrates the sources of our dataset from the OCR portal.
To further refine our analysis, we established rigorous data inclusion criteria and conducted a comprehensive review of our data sample, paying close attention to the variability in the descriptions of the reported incidents. For instance, as depicted in Fig. 2, our dataset includes reports from three covered entities—two medical centers and one hospital—located in different states, each affected by a ransomware incident. The level of detail in these reports varied considerably: the first row in the dataset provides a comprehensive description of the incident, detailing specific impacts and responses, whereas the other two entries offer less detail about their respective incidents.
Exhibit of the Source of Qualitative Data
The data from the OCR portal was downloaded into Microsoft Excel for preliminary processing. Each entry received a unique identifier (e.g., Ransomware Case 1 = RC1, RC2, etc.), and we corrected any spelling and typographical errors to enhance readability. Once the data was accurately organized and annotated, it was uploaded into NVivo 14 software for further analysis. Within NVivo, we systematically coded and analyzed the data, which enabled effective management and exploration of themes throughout our study. To ensure confidentiality, all identifying information about the hospitals was removed or anonymized prior to analysis [50].
Our analysis employed Braun and Clarke’s inductive methodological approach [45]. The first author meticulously read each data entry multiple times to gain a profound understanding of the content, aiding in the identification of initial patterns and thematic categories. We generated an initial list of codes, and each narrative was coded accordingly. Memos were created to compile impressions and preliminary themes [45]. These preliminary themes were discussed and reviewed with co-authors, followed by a second round of coding to refine and define the themes. After multiple revisions, several themes were narrowed down to subthemes or merged. Representative quotes were extracted from the narratives to ensure they effectively encapsulated the theme. These quotes were instrumental in forming the final themes.
The research team was led by a PhD-trained qualitative methodologist with 18 years of experience in healthcare management and cybersecurity, providing a critical interpretative lens for our thematic analysis of ransomware incidents in hospitals. The first author, a software developer with extensive cybersecurity industry experience, contributed a technical perspective to the analysis. A research assistant with 20 years in the healthcare industry further refined our understanding of ransomware’s impact on hospitals. The team engaged in rigorous dialogues and critiques, sharing themes and representative quotes among themselves to ensure reflexivity and rigor in the analysis.
3 Results
We identified 65 ransomware attacks on U.S. hospitals between 2016 and 2022 that met the study criteria, as detailed in Table 1. Our results revealed that the majority of ransomware incidents, 83.1%, occurred in metro hospitals. Rural and micro hospitals reported significantly fewer incidents, comprising 10.8% and 6.2% of cases, respectively. In terms of hospital size, medium-sized hospitals with 100–199 beds were disproportionately affected, experiencing 24.6% of all incidents. This may be significant as these hospitals represent only 19.2% of all U.S. hospitals, according to data from the AHA Annual Survey Database. In contrast, larger hospitals with 500 or more beds, which make up just 5.6% of all U.S. hospitals, were involved in 16.9% of the ransomware incidents. Meanwhile, smaller hospitals, with 6 to 24 beds, accounted for 9.2% of the incidents despite making up 14.3% of the national hospital population, according to the AHA Annual Survey Database. Seven themes emerged from the thematic analysis, summarized in Table 2. Each offered deeper insights into various aspects of ransomware incidents. The representative quotes provided a more detailed view of ransomware incidents within hospitals, illustrating the depth and variety of each identified theme.
3.1 The scale of ransomware
In this theme, the large number of individuals affected and the diverse methods used by cybercriminals to gain unauthorized access to computers and networks illustrate the extent of ransomware attacks. Statements such as “a ransomware attack affecting the electronic protected health information (ePHI) of approximately 3,320,726 individuals” and “The covered entity (CE) reported that it was the victim of a ransomware attack that compromised the protected health information (PHI) of 1,228,093 individuals” exemplify the extensive impact of these hospital ransomware incidents.
Hospital information system architectures are complex, and incidents of ransomware can ripple throughout a network. Numerous ransomware attacks, varying in severity, were observed in the data across healthcare facilities. The data shows a wide array of healthcare facilities impacted by the network, as acknowledged in the statements from hospitals: “The [CE] [omitted name] Health + Hospitals reported that its business associate was the victim of a ransomware attack.”
Reported attack methods include phishing emails, exploiting server vulnerabilities, and other tactics to gain access to a computer or network. A common location for ransomware attacks is network servers. For example, one hospital reported a breach initiated by a phishing email: “The [CE], [omitted name], reported that on [omitted date], its workforce member responded to a phishing email,” while another incident involved ransomware placed directly on a server, impacting PHI storage: “Hackers placed ransomware on the [CE’s] computer server. The servers stored [PHI].”
Ransomware attacks often culminate in demands for payment, with some entities opting to pay the ransom to regain data access. In one case, “the hackers demanded a ransom, which the CE paid. After payment of the ransom, the CE regained access to the data on the server.” The challenges healthcare organizations face when responding to ransomware threats are evident in this case.
3.2 Extent of protected health information vulnerability
This theme addresses the vulnerabilities in hospital data security that make protected health information (PHI) susceptible to ransomware attacks. Vulnerabilities often involve compromised sensitive health details such as diagnoses, medications, medical histories, treatment records, and personal identifiers—names, driver’s license numbers, and contact details. Examples include:
“The PHI involved included names, addresses, dates of birth, and driver’s license numbers that were compromised.”
“Data on the servers was encrypted, including names, social security numbers, claims information.”
“The compromised ePHI involved included names, marital status, sex, race/ethnicity, and birthdates.”
Furthermore, incidents frequently expose social security numbers and financial data, enhancing the risk:
“The ePHI involved included names, addresses, dates of birth, email addresses, Social Security numbers, telephone numbers, financial information, and treatment information.”
“The PHI involved included names, dates of birth, Social Security numbers, addresses, driver’s license numbers, medications prescribed, diagnoses, and financial and other treatment information.”
Clinical and medical data vulnerabilities are highlighted by the accessibility of medical record numbers, prescriptions, lab results, and health insurance information:
“…diagnoses, prescription information, lab results, health insurance information, and other treatment information.”
“Claims information, diagnoses, lab results, medications prescribed, and other treatment information.”
“The ePHI involved included diagnostic images.”
The widespread nature of these vulnerabilities underscores the extensive risks to patient and private data in the face of ransomware threats.
3.3 Response and notification protocols
This theme details a comprehensive response to ransomware incidents by hospitals, ensuring compliance with legal mandates and maintaining transparency. Key protocols include notifying the Health and Human Services (HHS), the media, and affected individuals. Notably, notifications often lead to the Office for Civil Rights (OCR) providing technical assistance to ensure adherence to the Breach Notification Rule. For instance, it was reported that “The CE notified HHS, affected individuals, and the media. OCR provided the CE with technical assistance regarding the Breach Notification Rule.”
Hospitals routinely utilize substitute notices and issue detailed media statements to disclose incidents. Media statements following the ransomware incident were also issued. Examples of this include, “The CE and BA notified HHS, affected individuals, and the media, and provided substitute notice,” and “The CE notified HHS, affected individuals, the media, and posted substitute notice on its website.”
3.4 Implementation of safeguards
Hospitals have responded to ransomware attacks by implementing a variety of technical and administrative safeguards. These measures include the adoption of encryption and advanced malware detection systems, comprehensive overhauls of policies, issuance of internal email warnings, and the establishment of phishing threat reporting mechanisms. Moreover, hospitals have conducted thorough risk assessments, enhanced their security monitoring, and intensified training on security, HIPAA best practices, and phishing prevention. Key implementations are highlighted through specific instances:
“Upon discovery of the breach, the CE adopted new technical safeguards, revised its policies and procedures, and retrained its employees.”
“…in response to the breach, the BA strengthened its administrative and technical safeguards to better protect ePHI.”
“Additionally, the CE sent internal email users an email banner with additional warnings about emails that contain links and are from outside the organization and set up an internal phishing inbox for users to submit potential threats.”
“The CE expanded its data security monitoring, updated its security management policies, and provided additional training to staff.”
“In response to the breach, the CE implemented additional administrative and technical safeguards and retrained its staff.”
“In response to the breach, the CE provided the BA with training on HIPAA requirements to protect and secure ePHI.”
Based on these statements, a marked change has been observed towards enhancing security and increased awareness in the affected hospital.
3.5 Investigation and regulatory compliance
Ransomware attacks on healthcare institutions highlight the multifaceted nature of investigation and regulatory compliance. Each incident is investigated internally, often supplemented by third-party forensic analyses. The statements below highlight our finding:
“In response to the breach, the BA retained a third-party forensic investigator that identified the vulnerability, which allowed the breach to occur; the BA remediated this issue in its mitigation efforts to better secure its sensitive data.”
“The CE hired a third party to perform a forensic investigation, and the CE provided a complete copy of the investigative report to OCR.”
Regarding regulatory compliance, we found that the OCR frequently conducts compliance reviews. Examples include:
“During the investigation, OCR provided the CEs with technical assistance regarding the HIPAA Rules.”
“OCR obtained assurances that the CE implemented the corrective actions noted.”
3.6 Third-party involvement
The theme underscores the critical risk factor of the interconnected nature of healthcare systems due to the frequent involvement of business associates (BAs) in cybersecurity incidents. The dependency on BAs, such as billing companies, IT service providers, and EHR vendors, who often access sensitive hospital data, introduces significant third-party risk exposure. Two key subthemes highlight the multifaceted challenges:
3.6.1 Risk exposure
Healthcare delivery efficiency depends heavily on seamless collaboration between hospitals and their BAs. This interdependence, while crucial for operational efficiency, also poses heightened security risks, as breaches in BA systems can directly impact hospital operations. For example: The [CE] [name omitted] reported that its [BA] experienced a ransomware attack affecting the [ePHI] of approximately 3,320,726 individuals.
3.6.2 Direct impact
The consequences of ransomware attacks on BAs often extend to exposing sensitive patient data, requiring immediate and strategic responses to mitigate risks. For instance:
“The [CE] [name omitted] Healthcare Corporation reported that its [BA] was targeted in a ransomware attack that compromised the ePHI of 64,600 individuals, including sensitive information like names, addresses, and Social Security numbers.”
This theme provides a comprehensive understanding of the challenges hospitals face with interconnected digital environments.
3.7 Victim support services
A common response to ransomware incidents is to offer credit monitoring and identity protection services to affected individuals. Specific measurements include:
“In response to the breach, the [CE] implemented additional technical safeguards and provided complimentary credit monitoring services to affected individuals.”
“Complimentary credit monitoring services were provided to affected individuals. In response to the breach, the CE provided the BA with training on HIPAA requirements to protect and secure ePHI.”
These results may indicate a proactive stance by hospitals in addressing both the immediate and extended risks associated with ransomware incidents, focusing on support for victims.
4 Discussion
This study employed a qualitative thematic analysis of ransomware incidents in U.S. hospitals from 2016 to 2022, aiming to characterize the patterns, vulnerabilities, and responses of these incidents. The Scale of Ransomware underscores not merely the number of individuals affected by these cybersecurity incidents but also the diversity of attack vectors, such as phishing and server vulnerabilities. Our analysis reveals that approximately 12 million people have had their personal information compromised due to ransomware incidents in the healthcare sector. These attacks exhibit considerable variability in their scale, affecting populations ranging from a few hundred to several hundred thousand individuals. For instance, one notable incident compromised the electronic Protected Health Information (ePHI) of approximately 3,320,726 individuals, illustrating the profound impact these events can have. Our findings not only align with but also expand upon the existing body of research highlighting the escalating threat of ransomware in the healthcare domain [10, 36, 39, 50, 51].
Understanding the scale of these incidents is crucial for the implementation of robust continuity and recovery plans, establishing a command center can serve as a focal point for managing ransomware crises, while the development of comprehensive continuity of operations plans is crucial for maintaining hospital operations during and after a cyberattack [37]. Additionally, there is a pressing need for regional disaster planning that coordinates responses across healthcare facilities, ensuring a unified and effective approach to such cybersecurity challenges [36].
The research highlights the significant vulnerability of PHI in ransomware attacks, which compromise a broad spectrum of sensitive data, including personal, financial, and health-related information. Our findings underscore the comprehensive nature of PHI and the extensive potential harm to patients when their data is compromised. This study extends prior research by emphasizing the critical sensitivity of healthcare data and the severe consequences of its breaches [37]. The compromised PHI in ransomware incidents not only jeopardizes patient privacy but also poses substantial risks to their financial and overall well-being. Future research should focus on investigating the long-term impacts of compromised PHI on patients. Such studies could explore how cybercriminals target and access various types of data and examine the potential legal liabilities hospitals may face as a result of ransomware incidents [51].
The response and notification protocol’s theme demonstrate the importance of immediate action and transparent communication after ransomware attacks. Ransomware incidents in hospitals require a swift and effective response, along with notification, due to their significant regulatory implications [52]. Our findings echo compliance requirements in the healthcare industry [47, 52,53,54]. A notable finding is the extent of regulatory involvement by the OCR, in ensuring compliance and guiding responses in the aftermath; this finding highlights the legal complexities of ransomware.
Hospitals enhance security post-attacks by implementing new technical and administrative safeguards and enhancing staff training. Measures include encryption, advanced malware detection tools, policy revisions, risk assessments, expanded security monitoring, and staff training on security awareness and phishing prevention. Our findings highlight hospitals’ commitment to evolving defenses and ensuring staff readiness. This aligns with existing cybersecurity literature advocating for adaptive security strategies, such as centralized task forces, recovery plans, and tabletop simulations [37]. Our results emphasize the importance of staff training in phishing and cyberthreat awareness, underscoring the critical role of human factors in cybersecurity.
Third-party involvement is critical, given the interconnected nature of healthcare systems. Business Associates (BAs) were frequently involved in ransomware incidents. Future research should examine the effectiveness of risk management strategies in third-party collaborations and explore new models of cybersecurity partnerships in healthcare. Effective vendor and third-party engagement is essential, focusing on how vendor expertise impacts the design, performance, and protection of critical systems before, during, and after a cyber incident. Proactive measures, such as pre-incident meetings and coordination with clinical engineers and medical equipment vendors, are vital for comprehensive incident response plans. These recommendations are supported by the Office of the Assistant Secretary for Preparedness and Response (ASPR) [55].
An unexpected result was the payment of ransom demands. In one instance, “the hackers demanded a ransom which the CE paid. After payment of the ransom, the CE regained access to the data on the server.” This finding highlights the complexity of decision-making during ransomware attacks. Paying a ransom poses both ethical and practical dilemmas for hospitals. On one hand, payment could encourage more ransomware attacks; on the other hand, non-payment could disrupt crucial healthcare services and result in the loss of PHI and other information [56]. To address these challenges, ASPR recommends ensuring that all necessary cyber-related policies are in place and compliant with legal requirements and cyber coverage parameters. Hospitals should consider organizational policies for paying ransomware attackers, identify decision-makers for such situations, and utilize the Cybersecurity and Infrastructure Security Agency (CISA) Ransomware Response Checklist [4] to inform potential ransomware response activities [55].
Victim support services are crucial in the aftermath of cyberattacks. Hospitals often provide credit monitoring and identity protection services to affected individuals as part of their response efforts. This finding enhances the existing hospital cybersecurity literature by detailing victim-support practices post-breach. Limited prior research on ransomware in hospitals and associated victim support services makes this study a valuable contribution. This theme is significant because offering credit monitoring services can reduce legal vulnerability for hospitals, as suggested by existing research [57].
Lastly, the observed concentration of ransomware incidents in metro areas may not necessarily indicate a higher vulnerability but could be attributed to the higher number of hospitals located in these areas. According to the AHA Annual Survey Database, a significant majority of U.S. hospitals are situated in metropolitan regions, which might explain the higher incident numbers. Furthermore, the disproportionate number of ransomware attacks on medium-sized hospitals suggests a specific vulnerability or targeting pattern that merits further investigation. It is notable that hospitals with 100–199 beds experienced a higher incidence rate compared to their overall prevalence in the U.S. hospital system. The alignment of ransomware incidents in hospitals affiliated with larger systems (67.7% of incidents) with the AHA Annual Survey Database (67.5% affiliation rate) suggests that such hospitals are not disproportionately targeted by cybercriminals relative to their prevalence. However, the significant overrepresentation of ransomware incidents in not-for-profit hospitals (75.4%) compared to their representation in the AHA Annual Survey Database (51.2% when combining Church-operated and Other not-for-profit hospitals) raises concerns about specific vulnerabilities in these institutions. These findings underscore the need for a detailed analysis to understand why certain hospital types, particularly general medical and surgical hospitals which are heavily targeted (90.8% of incidents), are more susceptible to ransomware attacks. Such an analysis could help identify risk factors unique to these settings and inform more effective cybersecurity strategies tailored to different hospital types and sizes. This research is crucial for enhancing the resilience of healthcare infrastructure against evolving cyber threats and forms an essential part of our future research agenda.
This study has several limitations. Our analysis is based on reported incidents of ransomware attacks, which may not represent the full spectrum of cybersecurity threats hospitals face. Some institutions may not report all breaches to avoid reputational damage or regulatory penalties, leading to underreporting of the full extent of the problem. This analysis primarily relied on secondary data from reported cases, which may not provide all the nuances or context of each ransomware incident. Our reliance on OCR data limits the depth of understanding, particularly regarding internal decision-making processes and hospital-specific challenges. Moreover, it is essential to recognize that not all data mandated for reporting to the OCR are made publicly available. This restriction potentially limits the comprehensiveness of the data accessible for analysis and may affect the generalizability of our findings. Additionally, the OCR and AHA data may not be representative of all U.S. hospitals during our study period. Currently, the OCR portal only covers data breaches affecting 500 or more individuals. Therefore, we consider that the number of security incidents may exceed the reported cases. A data breach with a ransomware incident may also go unnoticed, improperly evaluated, or reported to HHS with inconsistent names, duplicate values, incomplete data, etc. Consequently, the AHA and OCR databases could not be linked to all U.S. hospitals. Furthermore, healthcare information systems include not just hospitals but also insurance companies, third-party vendors, and government agencies. Our analysis may not fully account for the intricate interactions and data exchanges within this ecosystem, which can significantly impact on cybersecurity strategies and vulnerabilities. An additional limitation of our study was the variability in the detail of breach reports across different hospitals, which was critical for our thematic analysis. This discrepancy ranged from highly detailed accounts of incidents, outlining specific impacts and responses, to more cursory descriptions. This variability in report detail could potentially influence the generalizability and depth of the conclusions drawn from our analysis.
Our findings highlight the need for additional and future research that explores and evaluates the effectiveness of various risk management strategies employed by hospitals to manage third-party risks, especially those associated with business associates and vendors. Additionally, it is essential to conduct a comparative analysis of the response strategies adopted by different hospitals following ransomware attacks. Another critical area of investigation is the vulnerability of medical devices, which can serve as portals for ransomware attacks. The lack of adequate safeguards for medical devices significantly increases the risk of ransomware attacks, demanding immediate attention and robust security measures. Future research could involve both qualitative and quantitative methods to assess the current state of medical device security, the impact of ransomware on these devices, and the effectiveness of various protective measures [35]. This research could identify best practices and provide guidelines for more effective incident response and recovery. Furthermore, it is important to examine the legal and ethical implications of hospitals deciding to pay ransoms during ransomware incidents. This research could explore the factors influencing such decisions, the consequences of paying versus not paying, and the development of policies to guide these critical decisions. Lastly, conducting qualitative interviews and focus groups with patients affected by ransomware attacks will help understand their experiences, perceptions of hospital security, and trust in healthcare providers post-incident [58].
5 Conclusion
This study highlights the ongoing threat of ransomware incidents in hospitals, showcasing vulnerabilities and varied impacts on U.S. facilities. It stresses the need for developing robust and adaptable security measures and refining response strategies to prevent future attacks. By addressing these issues, hospitals can better prepare for and respond to the evolving ransomware threat, thus safeguarding patient data and maintaining essential healthcare services. Further research should investigate the efficacy of third-party risk management, the long-term effects on patients, and the specific responses in diverse hospital environments.
References
Cartwright A, et al. An investigation of individual willingness to pay ransomware. J Financ Crime. 2023;30(3):728–741.
Hernandez-Castro J, Cartwright A, Cartwright E. An economic analysis of ransomware and its welfare consequences. R Soc Open Sci. 2020:7(3);190023.
Berris PG, Gaffney JM. Ransomware and federal law : cybercrime and cybersecurity, in Report / Congressional Research Service R46932. 2021:1 online resource.
Cybersecurity and Infrastructure Security Agency. Stop Ransomware Guide. [cited. 2024 April]; https://www.cisa.gov/stopransomware/ransomware-guide.
U.S. Department of Health & Human Services (HHS) Fact Sheet: Ransomware and HIPAA. 2021.
U.S. Department of Health and Human Services (HHS), Ransomware Trends 2021. 2021.
United States. Congress. Senate. Committee on Homeland Security and Governmental Affairs, Rising threats: ransomware attacks and ransom payments enabled by cryptocurrency: hearing before the Committee on Homeland Security and Governmental Affairs, United States Senate, One Hundred Seventeenth Congress, second session, June 7,. 2022. S hrg. 1 online resource (iii, 179 pages).
The American Journal of Nursing. News brief: ransomware attacks on health care organizations are escalating. AJN The American J Nurs. 2023:123(4);15.
Wazid M, Das AK, Shetty S. BSFR-SH: Blockchain-Enabled Security Framework against Ransomware attacks for Smart Healthcare. IEEE Transactions on Consumer Electronics; 2022.
Connolly LY, et al. An empirical study of ransomware attacks on organizations: an assessment of severity and salient factors affecting vulnerability. J Cybersecurity. 2020:6(1);1–18.
Kiser S, Maniam B. Ransomware: healthcare industry at risk. J Bus Accou. 2021:14(1);64–81.
Jenkinson A. Ransomware and cybercrime. 2022:CRC Press.
Cohen, J.K., Healthcare ransomware attacks intensify in severity and sophistication. Modern Healthcare, 2020. 50(4): p. 12-12.
Arndt RZ. Feds indict ransomware hackers of Allscripts, others. Modern Healthcare. 2018;48(48):9–9.
Edroso R. Ransomware wrought havoc in 2020–sharpen tools, watch vendors to avoid breaches. Briefings HIPAA. 2021;21(6):8–10.
Parwan AV. Healthcare industry steps up security as cyber attacks increase. MLO Med Lab Obs. 2017:49(11);56–56.
Jones D, et al. Cybersecurity threats in the Healthcare Industry. J Bus Educational Leadersh. 2022;12(1):57–67.
American Journal of Nursing, News Brief: Ransomware attacks on health care organizations are escalating. AJN, The American Journal of Nursing. 2023. 123(4): p. 15.
Cohen IG, Hoffman S, Adashi EY. Your money or your patient’s life? Ransomware and electronic health records. 2017, American College of Physicians. pp. 587–588.
Gantt WAH, ed. Healthcare Cybersecurity. 2021, American Bar Association, Health Law Section.
The Economist. Ransomware highlights the challenges and subtleties of cybersecurity. The Economist. 2021.
Kabir UY, et al. Trends and best practices in health care cybersecurity insurance policy. J Healthc Risk Manag. 2020:40(2);10–14.
Gallagher R. The hackers and the hospitals. Bloomberg Businessweek. 2023;4772:48–53.
The Economist. How ransomware could cripple countries, not just companies. Econ Newsp 2023 [cited 2023.12.31. 2023.12.31].
Healthcare Risk Management. Ransomware attack can affect hospitals nearby, Create Havoc. Healthc Risk Manag. 2023:45(9);1–20.
Poulsen K, McMillan R, Evans M. A hospital hit by hackers, a baby in distress: the case of the first alleged ransomware death. Dow Jones & Company, Inc; 2021:A1.
Khanijahani A, et al. Factors associated with information breach in healthcare facilities: a systematic literature review. J Med Syst. 2022:46(12);90.
Paul DM. Henry Norwood. Ransomware in the healthcare industry, in Healthcare Cybersecurity. American Bar Association; 2021. Andrew H Gantt, Editor.
Sullivan N, et al. A national survey of hospital cyber attack emergency operation preparedness. Disaster Med Public Health Prep. 2023;17:e363.
Portela D, et al. Economic impact of a hospital cyberattack in a national health system: descriptive case study. JMIR Form Res. 2023;7:e41738.
Hoffman TW, Baker JF. Navigating our way through a hospital ransomware attack: ethical considerations in delivering acute orthopaedic care. J Med Ethics. 2023;49(2):121–4.
Gilbert S, et al. Can we learn from an imagined ransomware attack on a hospital at home platform? NPJ Digit Med. 2024;7(1):65.
Ryan M. Ransomware revolution: the rise of a prodigious cyber threat. Advances in information security. Online resource.
Scott Bailey, News Productions CBS. A look at the ransomware attack on Ascension and how to negotiate with cyber criminals. 60 minutes. p. 1 online resource (6 min.).
Wirth A, Gates C, Smith J. Medical device cybersecurity for engineers and manufacturers. Artech House; 2020.
Tewfik G, Whitehead V. Ransomware attacks on healthcare facilities present unique challenges for anesthesiology. J Clin Anesth. 2021:74;110413.
Chen PH, Bodak R, Gandhi NS. Ransomware recovery and imaging operations: lessons learned and planning considerations. J Digit Imaging. 2021:34(3);731–740.
Dameff C, et al. Ransomware attack associated with disruptions at adjacent emergency departments in the US. JAMA Netw Open. 2023:6(5);e2312270–e2312270.
van Boven LS, et al. Hacking acute care: a qualitative study on the health care impacts of ransomware attacks against hospitals. Ann Emerg Med. 2024:83(1);46–56.
Kordzadeh N, Young DK. Exploring hospitals’ use of Facebook: thematic analysis. J Med Internet Res. 2018;20(5):e190.
Kneafsey R, et al. A qualitative study of key stakeholders’ perspectives on compassion in healthcare and the development of a framework for compassionate interpersonal relations. J Clinical Nurs. 2016;25(1–2):70–9.
Holm AL, Severinsson E. Surviving depressive ill-health: a qualitative systematic review of older persons’ narratives. Nurs Health Sci. 2014:16(1);131–140.
Hickey N, Sumsion J. Harrison L. Why nursing? Applying a socio-ecological framework to study career choices of double degree nursing students and graduates. J Adv Nurs. 2013:69(8):1714–1724.
Braun V, Clarke V. Using thematic analysis in psychology. Qual Res Psychol. 2006:3(2);77–101.
Braun V, Clarke V. Thematic analysis. United States, North America: American Psychological Association; 2023.
U.S. Department of Health & Human Services (HHS). Office for Civil Rights. OCR Portal. 2023.
The Office of the National Coordinator for Health Information Technology, Chap. 7: Breach Notification, HIPAA Enforcement, and Other Laws and Requirements, in Chap. 7: Breach Notification, HIPAA Enforcement, and Other Laws and Requirements. 2022:56–62.
U.S. Department of Health & Human Services (HHS). OCR Breach Reporting Tool. [cited 2024 April 2024]; https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true.
American Hospital Association (AHA). Annual Survey Database. Editor: AHA, 2021.
Convery I, Dl C. A review of research ethics in internet-based research. Practition Res Higher Educ. 2012:6;50–57.
Spence N, et al. Ransomware in healthcare facilities: a harbinger of the future? Perspectiv Health Inform Manag. 2018:1–22.
U.S. Department of Health & Human Services (HHS). Office for Civil Rights. Summary of the HIPAA Privacy Rule. 2022 [cited 2023 1/23/2023]; https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html.
U.S. Department of Health & Human Services (HHS). Office for Civil Rights. Breach Notification Rule. 2023 2/17/2023]; https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html.
HealthIT.gov. https://www.healthit.gov/playbook/. 2023 1/1/2023]; https://www.healthit.gov/playbook/privacy-and-security/.
U.S. Department of Health and Human Services Office of the Assistant Secretary for Preparedness and Response (ASPR), Healthcare System Cybersecurity: Readiness & Response Considerations (Updated edition), ASPR Technical Resources Assistance Center and Information Exchange (TRACIE), Editor. 2022: Washington, DC. p. 40.
Cath, E., Ransomware: to pay or not to pay? Computer fraud & security, 2016. 2016:(4);8–12.
Romanosky S, Hoffman D, Acquisti A. Empirical analysis of data breach litigation. J Empir Leg Stud. 2014:11(1);74–104.
Mayer P, et al. Awareness, intention, (in)action: individuals’ reactions to data breaches. ACM Trans Comput Hum Interact. 2023:30.
Funding
No funding was received for this research.
Open access funding provided by the Carolinas Consortium.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Ethical approval
Not required as the study was deemed exempt as it uses publicly available data.
Consent to participate and publish
Not applicable.
Competing interests
The authors declare no competing interests.
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Munoz Cornejo, G., Lee, J. & Russell, B.A. A thematic analysis of ransomware incidents among United States hospitals, 2016–2022. Health Technol. (2024). https://doi.org/10.1007/s12553-024-00890-3
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s12553-024-00890-3