Skip to main content

Featured

Don’t Be Sorry. Be Better. Leadership Lessons from Kratos, God of War

More Cyberattacks Against Hospitals: Why They’re Increasing and How to Prevent Them


With the news that Ascension Health suffered a cyberattack on May 8, a disturbing trend is taking shape. Ascension, the largest chain of Catholic hospitals, is just the latest story. UnitedHealth found itself the victim of cyber criminals on February 21, which exposed sensitive information – affecting millions of American patients – to hackers from adversarial nations. The chaos was severe and lasted for weeks. The attack targeted United’s Change Healthcare, which serves as a “digital highway between health insurers and hospitals and doctors.” Patients could not fill prescriptions, and hospitals could not pay staff for their work during this time. But these aren’t the only hospitals or healthcare systems affected. In fact, the numbers are growing. It’s important to understand why this is happening and what can be done to stop it.

Cyberattacks on Hospitals Threaten the Lives of Patients

The damage wrought by cyberattacks that concentrate on hospitals and healthcare systems transcends operational disruptions, financial loss, and data risks; these attacks threaten the lives of patients in those systems. 

  • Disrupted Access to Medical Records: Many hospitals rely on electronic health records (EHR) to store patient information. A cyberattack locks doctors and nurses out of these records, making it difficult to diagnose and treat patients effectively. Delays in care, especially for critical cases, can be life-threatening.
  • Impeded Medical Equipment: Modern medical devices often connect to hospital networks. Cyberattacks disrupt communication with these devices, potentially rendering them unusable. Imaging the impact on equipment that’s critical for use in surgeries, intensive care, or other life-saving procedures.
  • Misinformation and Errors: If hackers tamper with medical data, it could lead to erroneous diagnoses or medication errors, with serious health consequences for patients already in a critical condition.
  • Diverted Resources: A cyberattack can force a hospital to divert resources to recovery efforts, taking staff away from patient care. Longer wait times and potentially missed emergencies could signal the difference between timely treatment and a deadly outcome.
  • Psychological Impact: A cyberattack creates stress and anxiety for both patients and staff. This can worsen a patient’s condition or hinder clear decision-making by medical professionals.

To call the situation “serious” wouldn’t do it justice. As Reed Abelson and Noah Weiland reported in the New York Times, UnitedHealth CEO Andrew Witty was called to testify before the Senate Finance Committee about the weaknesses and deficits in security that allowed the cyberattack to succeed: “In a tense Senate hearing on Wednesday, lawmakers sharply criticized UnitedHealth Group’s handling of the cyberattack that paralyzed the U.S. health care system, citing the failure of its security systems and the potential disclosure of sensitive medical information of millions of Americans.”

To put the potential damage into perspective, consider that UnitedHealth made $372 billion in revenues last year as one of the country’s largest corporations. It’s also the largest health insurer and big pharmacy benefit manager (OptumRx), overseeing nearly one in 10 doctors across the United States.

In its announcement about the attacks, Ascension published a press release that stated:

On Wednesday, May 8, we detected unusual activity on select technology network systems, which we now believe is due to a cybersecurity event. At this time we continue to investigate the situation. We responded immediately, initiated our investigation and activated our remediation efforts. Access to some systems have been interrupted as this process continues.

Our care teams are trained for these kinds of disruptions and have initiated procedures to ensure patient care delivery continues to be safe and as minimally impacted as possible. There has been a disruption to clinical operations, and we continue to assess the impact and duration of the disruption.

Ascension is the fourth-largest hospital network in the country, with 140 locations in 19 states. 

Cyber Criminals Capitalizing on Crisis

We are still recovering from an international health emergency that lingers in the wake of the COVID-19 outbreak. But one infrequently discussed problem is how the pandemic created opportunities for cyber criminals to exploit this humanitarian crisis for personal gain.  

John Riggi, Senior Advisor for Cybersecurity and Risk, American Hospital Association, explained the threats and concerns: “Cyber criminals more organized than they were in the past, they are often more skilled and sophisticated. Those that conduct ransomware attacks as part of an ongoing criminal enterprise may reinvest some of their ill-gotten gains to develop more powerful malware and computer infrastructure to make their attacks harder to defend against, and make the perpetrators harder to catch.”

Riggi also emphasized that “a ransomware attack on a hospital crosses the line from an economic crime to a threat-to-life crime.” These threat-to-life assaults on the U.S. healthcare system are becoming more widespread. 

Healthcare Emerging as the Top Industry for Cyberattacks 

According to Arctic Wold, a leading cybersecurity platform, healthcare is the top industry segment among its customer base that is targeted by ransomeware attacks. Here is a list of the biggest healthcare cyberattacks, compiled by Arctic Wolf.

  • HCA Healthcare: “During this July 2023 breach of a Tennessee-based hospital and clinic operator, threat actors accessed and exfiltrated data from an external storage location that formatted emails and calendar reminders sent to patient.”
  • Medibank: “Russian-based hackers believed to have ties to the infamous REvil ransomware gang made off with the personal information of 9.7 million customers, including data on 1.8 million international customers and high-profile Australian politicians Prime Minister Anthony Albanese and cybersecurity minister Clare O’Neil in this 2022 hack.”
  • Regal Medical Group: “This Southern California-based medical group was the victim of a ransomware attack in December of 2022, notifying patients in early 2023. The group stated that, ‘the categories of impacted personal information may include, among other things: your name, social security number (for certain, but not all, potentially impacted individuals), address, date of birth, diagnosis and treatment, laboratory test results, prescription data, radiology reports, Medicare ID number, health plan member number, and phone number.’”
  • Cerebral: “Telehealth organization Cerebral made headlines in 2023 not for their technology, but for a data breach. In an interesting twist, Cerebral themselves may have also played the role of cybercriminal. The organization installed tracking pixels from major technology groups (including Google, Meta, and TikTok) on their applications, which caused PHI to be exposed to third parties without patient consent — a major HIPAA violation.”
  • Shields Health Care Group: “In May of 2022, this Massachusetts-based medical imaging service provider reported that a cybercriminal had gained unauthorized access to some of its IT systems back in March. All told, over two million patients had their PHI stolen, including names, addresses, Social Security numbers, insurance information, and medical history information.”
  • Advocate Aurora Health: “With 26 hospitals across Wisconsin and Illinois, Advocate Aurora Health is one of the largest healthcare providers in the Midwest. Their improper use of a common website tracking device led to the exposure of the data of three million patients in July of 2022.”
  • Banner Health: “In 2016, hackers used malware to breach the payment processing system of Banner Health’s food and beverage outlets. The attackers then used the system as a gateway into the Banner Health network, eventually obtaining access to servers containing patient data. The cyber attack went undiscovered for nearly a month. Stolen data included highly sensitive information such as Social Security numbers, dates of services and claims, health insurance information, and more.”
  • Medical Informatics Engineering: “In 2015, Medical Informatics Engineering (MIE), an electronic health records software firm, published a notice that attackers had breached patient data in its WebChart web app. Hackers had entered the company network remotely by logging in with easily guessed credentials. Once inside, attackers introduced an SQL injection exploit into a company database. Weeks later, the attackers launched a second offensive, using c99 web shell malware to reach additional files.”

Hospitals Are Data and Cash Rich Targets for Cyberattacks

Vulnerable to Attack

Why are cyberattacks on the rise for hospitals? Simply put, healthcare systems are vulnerable. The vast volume and value of patient data make these organizations attractive prey. But several factors combine to place hospitals in the crosshairs of cybercriminals.
  • Valuable Data: Hospitals store a treasure trove of sensitive patient information – names, addresses, Social Security numbers, and most importantly, medical records. This data can be sold on the black market for a high price, making them a lucrative target for criminals.
  • Pressure to Pay: Hospitals are under immense pressure to restore normal operations quickly, especially during emergencies. When a ransomware attack cripples their systems, they’re more likely to pay the ransom to get back online, even if those actions discourage optimal security practices.
  • Increased Reliance on Technology: Modern healthcare relies heavily on online technology, from patient records to medical devices. This creates more points of entry for attackers to exploit vulnerabilities in these interconnected systems.
  • Legacy Systems: Many hospitals still use outdated computer systems that lack the latest security patches, making them easier targets for hackers.
  • Stretched Resources: Hospitals often have limited budgets and IT staff, posing challenges in the ease of implementing and maintaining robust cybersecurity measures.
“Another sign of ransomware’s increased sophistication is its relative effectiveness rate,” Riggi wrote. “Ransomware accounted for more than 70 percent of the successful cyber attacks on health care organizations in each of the past two years.”

Political Motivations from Adversarial Nations

Given the origins of the attacks – from groups such as Conti with ties to Russia and North Korea’s WannaCry ransomware attack in 2017 – it’s also clear that adversarial nations have launched aggressive initiatives to hobble U.S. healthcare systems for political motivations.
  • Destabilization: Disrupting critical healthcare infrastructure can sow chaos and distrust within a targeted nation. Imagine the public outcry if a hospital network went down during a pandemic. This can weaken public confidence in the government's ability to keep citizens safe.
  • Bargaining Chip: By holding a hospital’s systems hostage, a nation can pressure the target government into concessions on political or economic issues. The idea is that the targeted nation will be more willing to give in to avoid further disruption to healthcare services.
  • Espionage: Hospitals may have access to sensitive government research data or information about public health emergencies. A cyberattack could be used to steal this kind of information for national security purposes.
  • Propaganda: A successful cyberattack on a hospital can be used for propaganda purposes, portraying the attacking nation as technologically superior and the victim nation as weak.
  • Signaling: Cyberattacks can be a way for nations to signal their displeasure with another country's actions, without resorting to open conflict.
Riggi also pointed out the geopolitical nature of cyberattacks in his report: “Government and terrorist groups are using cyber crime as a way to level the playing field against more powerful adversaries such as the U.S., which they know they could not defeat in a direct, head to head military confrontation. They know they are at less of a disadvantage by engaging in asymmetrical warfare, using difficult to attribute cyber attacks to achieve their foreign policy, military and intelligence objectives.”

How Hospitals Can Bolster Cybersecurity Efforts

Legislative Measures

Efforts by individual hospitals alone won’t be enough to counteract the complex forces and incentives driving these attacks. The cyber risk landscape for healthcare is now deeply intertwined with the global political climate.

To protect hospitals and their patients, a coordinated federal response is necessary. This would require uniting law enforcement, legislative bodies, military resources, and intelligence agencies to build a robust defense system.

The justification for such a comprehensive approach is clear: ransomware has evolved from a financial crime to one that directly threatens public health and safety. A ransomware attack that halts patient care at a hospital bears little difference than a terrorist attack with mass casualties. Both acts of aggression violate fundamental international norms.

Unfortunately, the current laws used to prosecute cybercrimes inadequately reflect the severity of damage they inflict on hospitals. The Computer Fraud and Abuse Act (18 U.S.C. § 1030) carries a maximum sentence of 20 years, but sentencing guidelines typically result in much lighter punishments. This hardly presents a deterrent for international criminals who can profit by millions of dollars from their attacks, with a slim chance of getting caught.

Riggi, for his part, doesn’t believe that new laws need to be introduced. Rather, we should strengthen the ones we have: “For example, USC T18 §1030 is most appropriate for prosecuting some ransomware attacks, but can be made more powerful when combined with or replaced with alternate prosecution strategies which include other federal statutes covering Racketeer Influence and Corrupt Organizations, money laundering, commercial extortion, homicide and even terrorism. These additional crimes carry far more serious penalties that are more consistent with the threat to life element presented by disruptive cyber attacks against hospitals.”

Practical and Internal Approaches to Cybersecurity

Hospitals must take preventative and strategic steps to bolster their cybersecurity practices and teams. A concerted effort to create new security positions and hire for them would be a great starting point. They can also implement several measures to strengthen their cybersecurity defenses, even in the face of a complex geopolitical landscape.
  • Prioritize Risk Assessments: Regularly conduct thorough assessments to identify vulnerabilities in their IT systems and data storage practices. This will help them focus their resources on the areas that need the most improvement.
  • Educate Staff: Employees are often the first line of defense against cyberattacks. Hospitals should invest in cybersecurity training programs to educate staff on phishing scams, social engineering tactics, and best practices for password hygiene.
  • Patch Systems Promptly: Unpatched software vulnerabilities are a major entry point for attackers. Hospitals should have a system in place for applying updates and security patches to all devices and software programs as soon as they become available.
  • Implement Multi-Factor Authentication: This adds an extra layer of security by requiring a second verification step beyond just a username and password when logging into sensitive systems.
  • Segment Networks: Divide the hospital network into different segments to limit the potential damage if a breach occurs. This can help prevent attackers from gaining access to critical patient data.
  • Backup Data Regularly: Having a secure backup system allows hospitals to restore their data quickly in the event of a ransomware attack or other data loss incident.
  • Develop an Incident Response Plan: A clear plan helps hospitals respond quickly and efficiently to a cyberattack, minimizing downtime and patient disruption.
  • Invest in Security Technologies: Firewalls, intrusion detection systems, and endpoint security software can help to identify and block malicious activity.
  • Partner with Security Experts: Many hospitals lack the in-house expertise to manage complex cybersecurity threats. Partnering with experienced security specialists can provide valuable guidance and support.
By taking a proactive approach to cybersecurity, hospitals can make themselves less vulnerable to attacks and protect the sensitive data of their patients. Although a united national response is crucial, even simple steps can empower hospitals to take control of their defenses and honor their commitment to protecting patients.