The Real Cost of Recovering From a Ransomware Attack
In a world where escalating ransomware threats make daily headlines, the stakes for hospitals are excruciatingly high: Losing money is one thing — losing a patient is another. A hospital CISO doesn't have the luxury of negotiating with cybercriminals when patients' lives are on the line.
Paying the ransom itself comes with a hefty price tag — but remediation costs, including the cost of downtime, lost opportunities, data recovery, lawsuits, and loss of reputation, increase the bill tenfold. And it all adds up to an average of $1,270,000.
Hospitals Are at the Center of the Escalating Cyber Storm
The pandemic offered a perfect storm for cybercriminals — and hospitals paid the price. Cybercriminals brought in staggering amounts of cash by installing ransomware at overstretched hospitals, notoriously unprepared for escalating cybersecurity threats. Now, cyber gangs like FIN12 intentionally target vulnerabilities in the healthcare sector, looking for an easy payday. The increased risk to patients' lives incent hospitals to pay up, and cybercriminals know it.
When cybercriminals shut down networks, encrypt data, and threaten to shut down the facility's utilities, the repercussions are complicated and costly. Precious commodities like patient information and lifesaving equipment are at risk. And when ransomware infiltrates a hospital's lifesaving systems, there are no clear instructions for recovery. Even hardliner authorities ("We don't negotiate with terrorists!") recommend meeting ransom demands to save patients’ lives.
The Hidden Costs of Ransomware Attacks at Hospitals
The ransom paid — an average of $131,000 in the healthcare sector — is just a fraction of the $1,270,000 average recovery cost from a ransomware attack. Operational downtime, negative patient experience, loss of reputation, staff overtime, device costs, and network repairs make up the difference. Even if the attack is swift and the criminals withdraw quickly after paying the ransom, lost revenue adds up. NEO Urology in Ohio lost $30,000 to $50,000 every day for three days after paying a $75,000 ransom.
A worrying 54% of IT teams said that cyberattacks are too advanced to handle on their own. Outside agencies are often brought in to assist with data and device recovery (which can take years). When all is said and done, the bill can cost more than the ransom. It costs up to $2,000 on average to recover data from one hard drive. Consider how many hard drives are in a single hospital and what it would cost to bring them all back up to speed. Okay, you can spare yourself the mental math: It's a lot. Don't even try to think about the other, more complex medical devices similarly affected by network attacks — you'll get a headache.
Payroll and education costs also add up. With networks offline, hospital staff must make handwritten records to maintain protocols, procedures, and schedules. Once systems are back online, those same records must be transcribed into the system to avoid leaving gaps in the facility's history. These tedious tasks add a surprising amount of time to any healthcare worker's shift, resulting in overtime and hazard pay. And let's not forget the resources needed to train staff about cybersecurity best practices to avoid another attack.
$1,270,000 is a hefty price tag, but even so, it fails to include the costs of legal repercussions associated with a successful cyberattack.
Quality Rep Services, Inc. (QRS), a healthcare technology vendor in Knoxville, Tennessee, is facing a class action lawsuit for a data breach of 319,778 records. On the internal side of things, Community Medical Center (CMC) in Missoula, Montana, flirted with employee lawsuit material over payroll discrepancies. CMC suffered a cyberattack in late 2021, which affected payroll processing. In the interim, the medical center duplicated paychecks from December 3, 2021, prompting a letter from the Montana Nurses Association (MNA) urging CMC to pay nurses what they are owed.
Minimize Damage and Keep Your Data Safe
Until cyberattacks let up (which is more likely than seeing the dead rise from the grave but less likely than seeing a good Matrix sequel), these expenses aren't going down. Remember, the best defense is not preventing attacks (they're going to happen!), but preventing successful attacks by keeping backups of your important data secured off-network and minimizing the effects on patients. The less damage done, the less recovery is needed.