Search This Blog
Musings from the team at rock paper sushi, a content marketing consultancy.
Featured
- Get link
- X
- Other Apps
More Cyberattacks Against Hospitals: Why They’re Increasing and How to Prevent Them
With the news that Ascension Health suffered a cyberattack on May 8, a disturbing trend is taking shape. Ascension, the largest chain of Catholic hospitals, is just the latest story. UnitedHealth found itself the victim of cyber criminals on February 21, which exposed sensitive information – affecting millions of American patients – to hackers from adversarial nations. The chaos was severe and lasted for weeks. The attack targeted United’s Change Healthcare, which serves as a “digital highway between health insurers and hospitals and doctors.” Patients could not fill prescriptions, and hospitals could not pay staff for their work during this time. But these aren’t the only hospitals or healthcare systems affected. In fact, the numbers are growing. It’s important to understand why this is happening and what can be done to stop it.
Cyberattacks on Hospitals Threaten the Lives of Patients
The damage wrought by cyberattacks that concentrate on hospitals and healthcare systems transcends operational disruptions, financial loss, and data risks; these attacks threaten the lives of patients in those systems.
- Disrupted Access to Medical Records: Many hospitals rely on electronic health records (EHR) to store patient information. A cyberattack locks doctors and nurses out of these records, making it difficult to diagnose and treat patients effectively. Delays in care, especially for critical cases, can be life-threatening.
- Impeded Medical Equipment: Modern medical devices often connect to hospital networks. Cyberattacks disrupt communication with these devices, potentially rendering them unusable. Imaging the impact on equipment that’s critical for use in surgeries, intensive care, or other life-saving procedures.
- Misinformation and Errors: If hackers tamper with medical data, it could lead to erroneous diagnoses or medication errors, with serious health consequences for patients already in a critical condition.
- Diverted Resources: A cyberattack can force a hospital to divert resources to recovery efforts, taking staff away from patient care. Longer wait times and potentially missed emergencies could signal the difference between timely treatment and a deadly outcome.
- Psychological Impact: A cyberattack creates stress and anxiety for both patients and staff. This can worsen a patient’s condition or hinder clear decision-making by medical professionals.
To call the situation “serious” wouldn’t do it justice. As Reed Abelson and Noah Weiland reported in the New York Times, UnitedHealth CEO Andrew Witty was called to testify before the Senate Finance Committee about the weaknesses and deficits in security that allowed the cyberattack to succeed: “In a tense Senate hearing on Wednesday, lawmakers sharply criticized UnitedHealth Group’s handling of the cyberattack that paralyzed the U.S. health care system, citing the failure of its security systems and the potential disclosure of sensitive medical information of millions of Americans.”
To put the potential damage into perspective, consider that UnitedHealth made $372 billion in revenues last year as one of the country’s largest corporations. It’s also the largest health insurer and big pharmacy benefit manager (OptumRx), overseeing nearly one in 10 doctors across the United States.
In its announcement about the attacks, Ascension published a press release that stated:
On Wednesday, May 8, we detected unusual activity on select technology network systems, which we now believe is due to a cybersecurity event. At this time we continue to investigate the situation. We responded immediately, initiated our investigation and activated our remediation efforts. Access to some systems have been interrupted as this process continues.
Our care teams are trained for these kinds of disruptions and have initiated procedures to ensure patient care delivery continues to be safe and as minimally impacted as possible. There has been a disruption to clinical operations, and we continue to assess the impact and duration of the disruption.
Ascension is the fourth-largest hospital network in the country, with 140 locations in 19 states.
Cyber Criminals Capitalizing on Crisis
We are still recovering from an international health emergency that lingers in the wake of the COVID-19 outbreak. But one infrequently discussed problem is how the pandemic created opportunities for cyber criminals to exploit this humanitarian crisis for personal gain.
John Riggi, Senior Advisor for Cybersecurity and Risk, American Hospital Association, explained the threats and concerns: “Cyber criminals more organized than they were in the past, they are often more skilled and sophisticated. Those that conduct ransomware attacks as part of an ongoing criminal enterprise may reinvest some of their ill-gotten gains to develop more powerful malware and computer infrastructure to make their attacks harder to defend against, and make the perpetrators harder to catch.”
Riggi also emphasized that “a ransomware attack on a hospital crosses the line from an economic crime to a threat-to-life crime.” These threat-to-life assaults on the U.S. healthcare system are becoming more widespread.
Healthcare Emerging as the Top Industry for Cyberattacks
According to Arctic Wold, a leading cybersecurity platform, healthcare is the top industry segment among its customer base that is targeted by ransomeware attacks. Here is a list of the biggest healthcare cyberattacks, compiled by Arctic Wolf.
- HCA Healthcare: “During this July 2023 breach of a Tennessee-based hospital and clinic operator, threat actors accessed and exfiltrated data from an external storage location that formatted emails and calendar reminders sent to patient.”
- Medibank: “Russian-based hackers believed to have ties to the infamous REvil ransomware gang made off with the personal information of 9.7 million customers, including data on 1.8 million international customers and high-profile Australian politicians Prime Minister Anthony Albanese and cybersecurity minister Clare O’Neil in this 2022 hack.”
- Regal Medical Group: “This Southern California-based medical group was the victim of a ransomware attack in December of 2022, notifying patients in early 2023. The group stated that, ‘the categories of impacted personal information may include, among other things: your name, social security number (for certain, but not all, potentially impacted individuals), address, date of birth, diagnosis and treatment, laboratory test results, prescription data, radiology reports, Medicare ID number, health plan member number, and phone number.’”
- Cerebral: “Telehealth organization Cerebral made headlines in 2023 not for their technology, but for a data breach. In an interesting twist, Cerebral themselves may have also played the role of cybercriminal. The organization installed tracking pixels from major technology groups (including Google, Meta, and TikTok) on their applications, which caused PHI to be exposed to third parties without patient consent — a major HIPAA violation.”
- Shields Health Care Group: “In May of 2022, this Massachusetts-based medical imaging service provider reported that a cybercriminal had gained unauthorized access to some of its IT systems back in March. All told, over two million patients had their PHI stolen, including names, addresses, Social Security numbers, insurance information, and medical history information.”
- Advocate Aurora Health: “With 26 hospitals across Wisconsin and Illinois, Advocate Aurora Health is one of the largest healthcare providers in the Midwest. Their improper use of a common website tracking device led to the exposure of the data of three million patients in July of 2022.”
- Banner Health: “In 2016, hackers used malware to breach the payment processing system of Banner Health’s food and beverage outlets. The attackers then used the system as a gateway into the Banner Health network, eventually obtaining access to servers containing patient data. The cyber attack went undiscovered for nearly a month. Stolen data included highly sensitive information such as Social Security numbers, dates of services and claims, health insurance information, and more.”
- Medical Informatics Engineering: “In 2015, Medical Informatics Engineering (MIE), an electronic health records software firm, published a notice that attackers had breached patient data in its WebChart web app. Hackers had entered the company network remotely by logging in with easily guessed credentials. Once inside, attackers introduced an SQL injection exploit into a company database. Weeks later, the attackers launched a second offensive, using c99 web shell malware to reach additional files.”
Hospitals Are Data and Cash Rich Targets for Cyberattacks
Vulnerable to Attack
- Valuable Data: Hospitals store a treasure trove of sensitive patient information – names, addresses, Social Security numbers, and most importantly, medical records. This data can be sold on the black market for a high price, making them a lucrative target for criminals.
- Pressure to Pay: Hospitals are under immense pressure to restore normal operations quickly, especially during emergencies. When a ransomware attack cripples their systems, they’re more likely to pay the ransom to get back online, even if those actions discourage optimal security practices.
- Increased Reliance on Technology: Modern healthcare relies heavily on online technology, from patient records to medical devices. This creates more points of entry for attackers to exploit vulnerabilities in these interconnected systems.
- Legacy Systems: Many hospitals still use outdated computer systems that lack the latest security patches, making them easier targets for hackers.
- Stretched Resources: Hospitals often have limited budgets and IT staff, posing challenges in the ease of implementing and maintaining robust cybersecurity measures.
Political Motivations from Adversarial Nations
- Destabilization: Disrupting critical healthcare infrastructure can sow chaos and distrust within a targeted nation. Imagine the public outcry if a hospital network went down during a pandemic. This can weaken public confidence in the government's ability to keep citizens safe.
- Bargaining Chip: By holding a hospital’s systems hostage, a nation can pressure the target government into concessions on political or economic issues. The idea is that the targeted nation will be more willing to give in to avoid further disruption to healthcare services.
- Espionage: Hospitals may have access to sensitive government research data or information about public health emergencies. A cyberattack could be used to steal this kind of information for national security purposes.
- Propaganda: A successful cyberattack on a hospital can be used for propaganda purposes, portraying the attacking nation as technologically superior and the victim nation as weak.
- Signaling: Cyberattacks can be a way for nations to signal their displeasure with another country's actions, without resorting to open conflict.
How Hospitals Can Bolster Cybersecurity Efforts
Legislative Measures
Practical and Internal Approaches to Cybersecurity
- Prioritize Risk Assessments: Regularly conduct thorough assessments to identify vulnerabilities in their IT systems and data storage practices. This will help them focus their resources on the areas that need the most improvement.
- Educate Staff: Employees are often the first line of defense against cyberattacks. Hospitals should invest in cybersecurity training programs to educate staff on phishing scams, social engineering tactics, and best practices for password hygiene.
- Patch Systems Promptly: Unpatched software vulnerabilities are a major entry point for attackers. Hospitals should have a system in place for applying updates and security patches to all devices and software programs as soon as they become available.
- Implement Multi-Factor Authentication: This adds an extra layer of security by requiring a second verification step beyond just a username and password when logging into sensitive systems.
- Segment Networks: Divide the hospital network into different segments to limit the potential damage if a breach occurs. This can help prevent attackers from gaining access to critical patient data.
- Backup Data Regularly: Having a secure backup system allows hospitals to restore their data quickly in the event of a ransomware attack or other data loss incident.
- Develop an Incident Response Plan: A clear plan helps hospitals respond quickly and efficiently to a cyberattack, minimizing downtime and patient disruption.
- Invest in Security Technologies: Firewalls, intrusion detection systems, and endpoint security software can help to identify and block malicious activity.
- Partner with Security Experts: Many hospitals lack the in-house expertise to manage complex cybersecurity threats. Partnering with experienced security specialists can provide valuable guidance and support.
Popular Posts
Don’t Be Sorry. Be Better. Leadership Lessons from Kratos, God of War
- Get link
- X
- Other Apps
Allyship Goes Beyond Rainbow Flags: Supporting the LGBTQ+ Community Uplifts Business, People and the Economy
- Get link
- X
- Other Apps