Quality for the Rest of Us

Quality for the Rest of Us investigates the mysterious world of healthcare in search of adventurous innovation and exciting solutions from professionals across the nation.

All Episodes

Quality for the Rest of Us

Hospital Cyberattacks (8 mins)

October 03, 2025 • Gayle Porter • Season 3 • Episode 12

Did you know that healthcare is the most targeted industry by cybercriminals, and that cyberattacks are attributed to increased mortality? This episode introduces an innovative approach to managing the hidden costs of a cyberattack.

Key Points:

-The true cost of a cyberattack

-Mitigation that saves lives

-Keeping the hospital open

References:

-FBI Internet Crime Complaint Center (IC3) (2013). 2013 Internet Crime Report. https://www.ic3.gov/AnnualReport/Reports/2013_IC3Report.pdf.

-Microsoft Threat Intelligence (Oct. 2023). “Innovating for Security and Resilience.” Microsoft Digital Defense Report 2023, 100. https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2023.

-McGlave, C; Neprash, H; Nikpay, S (Aug. 19, 2024). “Hacked to Pieces? The Effects of Ransomware Attacks on Hospitals and Patients.” Social Science Research. http://dx.doi.org/10.2139/ssrn.4579292

-Porter, N (March 2, 2025). Life Hacks: Healthcare’s Cure for the Common Cyberattack. Modeling the Future Challenge 2025.

-Ponemon Institute (2024). The 2024 Study on Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care. https://www.proofpoint.com/us/resources/threat-reports/ponemon-healthcare-cybersecurity-report.

-National Security Agency (NSA) (March 2024). NSA’s Top Ten Cloud Security Mitigation Strategies. Cybersecurity Information. https://media.defense.gov/2024/Mar/07/2003407860/-1/-1/0/CSI-CloudTop10-Mitigation-Strategies.PDF.

-U.S. Department of Health and Human Services. Office of Civil Rights: Breach Portal. “Archive: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information.” https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

-European Repository of Cyber Incidents (EuRepoC) (2024). The EuRepoC dashboard. https://www.swp-berlin.org/en/swp/about-us/organization/swp-projects/european-repository-on-cyber-incidents-eurepoc.

-A.M. Best (June 24, 2024). US Cyber: Hot Pricing Cools Off, Rapid Growth Stalls.

-Sheps Center for Health Services Research (2024). Rural Hospital Closure Database. https://www.shepscenter.unc.edu/programs-projects/rural-health/rural-hospital-closures/.

Support the show

For more information, visit PorterQI.com, or email Q4Us@porterqi.com.

Cyberattacks are on the rise, and some projections suggest these attacks could cost global industry $10.5 trillion this year.[1] Of all the industries, healthcare is the most targeted by cyber criminals.[2] One reason for this exorbitant price is the urgency felt by healthcare organizations to respond to attacks. Inaction can cause long lines in the Emergency Room, patients not getting their essential medications and treatments, delayed surgeries, and blind clinicians trying to figure out what the patient’s allergies used to be.

In fact, when a cyberattack involves ransomware, and the attackers lock the organizations out of their networks, it significantly affects the treatment of patients. When a hospital experiences system downtimes due to ransomware, the mortality rate also increases by 40%.[3] Patients’ lives are literally at risk, so hospitals are quick to pay whatever ransom they need to in order to get their systems back. That easy payday makes them even more of a target, because the patients they serve are particularly vulnerable. It is a crime devoid of honor.

When I asked my son, Nathaniel, what he would be interested in researching for a scholarship challenge by the Actuarial Foundation, he said he’d like to study cyberattacks, especially the ones in healthcare. I was experiencing a downtime in my job because of a massive cyberattack at the time, and my son admitted that while he had always considered hackers to be lousy cheaters who made video games a lot less fun, he had never realized how cybercriminals could cripple a real-world company that delivered essential services to patients, and he wanted to know what could be done.

As the mentor for his project, I can say I was shocked by what he uncovered. Did you know that there are international Service Desks for paying your ransom to cybercriminals? Or did you know that more than 90% of healthcare organizations experienced a cyberattack last year, according to the Ponemon Institute?[4] The numbers are staggering.

So what can be done? Mitigation strategies like “zero-trust” technology,[5] onshoring data storage, and cyber insurance are all useful in responding to cyberattacks, but the problem is new, variable, and embarrassing for the organizations who are victims of the attacks, so very little data is available to assess the effectiveness of these strategies, and the scattered data that is available tends to come at a high price tag.

However, my son did discover a strategy that reduced risk in his statistical model for the Modeling the Future Challenge. He found that one mitigation strategy in particular could have a significant impact in lowering the downtime that healthcare organizations experience in an attack, which would preserve essential services for vulnerable patients. Lowering the downtime can both save lives and lower the cost of the cyberattack, as 31% of cyberattack costs that a healthcare organization faces are directly related to downtime. The data he collected included:

· Frequency, severity, and duration of cyberattack downtimes in the healthcare industry, 2012-2024

· Incidence of U.S. healthcare data breaches, 2009-2023[6]

· Global frequency of cyberattacks, 2024;[7]

· Mortality statistics from cyberattacks, 2024;

· Cyber insurance trends, 2024[8]

· And Population statistics on U.S. hospitals and hospital closures, 2024.[9]

One of the things that I found interesting was the correlation of mandatory electronic medical records, the increase in cyberattacks, and hospital closures. While there is not enough data or a controlled enough environment to make claims about causality, it seems that hospitals may be suffering under policies like HIPAA and HITECH, which punish them for becoming victims, yet hold digital service providers and national security faultless despite outdated and lackadaisical policies. It’s kind of like punishing a homeowner for allowing a thief to rob them. Personally, I think there is a big difference between a data breach caused by neglect and a data breach caused by international cybercriminals. The prior is like trafficking data; the latter is like having your data kidnapped for a ransom.

Regardless, I thought my son’s model was interesting. It demonstrated how a cloud-based downtime solution, specifically designed for disaster resilience that meets all the rigorous privacy requirements of HIPAA regulations, could help a hospital quickly return to business as usual without the extreme losses of getting locked out of the operations system.

His model was built using a downtime-cost distribution based on actual incidence rates, which then predicted the probable cost of future cyberattack downtimes. He also used an AWS cloud service cost calculator to price the downtime system based on an average healthcare facility’s data and compliance needs. Then he used all of that information to run two randomized simulations across hundreds of imaginary hospitals to compare the cost of a cyberattack with and without a downtime system: The risk-adjustment was impressive, numbering in billions of dollars.

While healthcare organizations should use every means available to avoid and recover from cyberattacks, Nathaniel advised that organizations prioritize the use of a downtime system to keep operations going despite frequent cyberattacks. Costs from the cyberattack would be reduced by preventing lost business from the downtime, and that could help hospitals stay afloat. It’s possible, based on the research, that lives could be saved as well by reducing the time spent offline. And without the urgency to save patients’ lives from cyber criminals, the urgency to pay ransoms would be reduced.

The ability to walk away from the ransom demand might actually be the best part because it would make cyberattacks against healthcare organizations less profitable for cyber criminals, effectively ending the market for healthcare cybercrime. If hospitals could not be strong-armed or manipulated into paying the ransom, the cyber criminals would stop trying.

In the following weeks, I’ll share some of the data my son uncovered about global cybercrime and how it affects the healthcare industry, discuss the pros and cons of our current methods of data breach reporting, review some of the interventions available, and finally, I hope to bring Nathaniel on as a guest so that he can tell you about his mitigation strategy himself.

[1] FBI Internet Crime Complaint Center (IC3) (2013). 2013 Internet Crime Report.https://www.ic3.gov/AnnualReport/Reports/2013_IC3Report.pdf.
[2] Microsoft Threat Intelligence (Oct. 2023). “Innovating for Security and Resilience.” Microsoft Digital Defense Report 2023, 100. https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2023.
[3] McGlave, C; Neprash, H; Nikpay, S (Aug. 19, 2024). “Hacked to Pieces? The Effects of Ransomware Attacks on Hospitals and Patients.” Social Science Research. http://dx.doi.org/10.2139/ssrn.4579292
[4] Ponemon Institute (2024). The 2024 Study on Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care. https://www.proofpoint.com/us/resources/threat-reports/ponemon-healthcare-cybersecurity-report.
[5] National Security Agency (NSA) (March 2024). NSA’s Top Ten Cloud Security Mitigation Strategies. Cybersecurity Information. https://media.defense.gov/2024/Mar/07/2003407860/-1/-1/0/CSI-CloudTop10-Mitigation-Strategies.PDF.
[6] U.S. Department of Health and Human Services. Office of Civil Rights: Breach Portal. “Archive: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information.” https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
[7] European Repository of Cyber Incidents (EuRepoC) (2024). The EuRepoC dashboard. https://www.swp-berlin.org/en/swp/about-us/organization/swp-projects/european-repository-on-cyber-incidents-eurepoc.
[8] A.M. Best (June 24, 2024). US Cyber: Hot Pricing Cools Off, Rapid Growth Stalls.
[9] Sheps Center for Health Services Research (2024). Rural Hospital Closure Database. https://www.shepscenter.unc.edu/programs-projects/rural-health/rural-hospital-closures/.

Gayle Porter

Host