Our experience last year is consistent with the conclusion of a new report issued by Cryptonite in its 2017 Health Care Cyber Research Report—that the number of hacking events targeted at health care entities involving ransomware increased a whopping 89% from 2016.
The report analyzed the self-reporting database of the Office for Civil Rights (OCR) which requires covered entities to report data breaches. The number cited by Cryptonite may in fact be lower than reality as pursuant to the Health Information Technology for Economic and Clinical Health Act, covered entities have until March 1, 2018, to report breaches of records that involve less than 500 individuals, so additional reporting is forthcoming.
The report notes that there were 140 IT/hacking events reported to the OCR in 2017, which was 24 percent more than the 113 reported in 2016. This is up from 57 reported in 2015 and 35 in 2014. Those numbers alone show that the health care industry continues to be a target.
Six of the largest IT/hacking incidents reported to the OCR in 2017 involved ransomware. According to the report, the number of reported major IT/hacking events attributed to ransomware by health care entities was 36 in 2017-up from 19 in 2016 which corresponds to an 89% increase from 2016 to 2017.
Health care entities continue to be targeted and attacked with ransomware and 2018 does not bode well for a decrease in these attacks.