The risk of cyberattacks on hospitals is growing, experts say

As hospitals increase their dependence on online tools for operations and patient records, their risk from cyberattacks and ransomware are expected to grow. 

That’s according to cybersecurity experts with the American Hospital Association trade group.

“Unfortunately, the unintended consequence of the use of all this network and internet connected technology is it expanded our digital attack surface,” said John Riggi, cybersecurity adviser for the American Hospital Association. “So, many more opportunities for bad guys to penetrate our networks.”

Experts say the number of attacks against hospitals and health systems is climbing year over year, as is the dollar cost to ransom critical infrastructure back from criminals that hold it hostage. In 2023, the average cost for a ransomware attack was $1.5 million, up from $5,000 in 2018.

Recent attacks have forced hospitals to send patients to different emergency rooms, or take compromised medical record systems offline. One rural hospital in Illinois was forced to close permanently after an attack ruined its finances.

Recovering from an attack can also take time and money, sometimes requiring months of rebuilding systems.

The attacks are often traced to countries like Russia and Iran, which makes prosecution difficult.

The Department of Health and Human Services announced new regulations for hospitals, coming later this year, that will help protect them from cyberattack risks.

Changes to the Health Insurance Portability and Accountability Act, or HIPAA, will hold hospitals to tighter data protection standards.

New security requirements may also be attached to eligibility for Medicare and Medicaid funding.