Cyber security in healthcare industry sectors has never been so important as it is today. Over the last ten years, the cyber risk in healthcare dramatically increased. This has been coupled with the development of more sophisticated ways to breach IT security. Large organizations and governments have recognized that healthcare information technology security is essential to protect both providers and patients from cyber attacks.
Despite this, the number of cyberattacks on hospital systems has significantly increased and continues to grow at pace. Why people want to disrupt healthcare is beyond most people’s grasp, as attacking the cybersecurity and information security of hospitals and other healthcare providers puts patients’ wellbeing and life at risk. So why do an increasing number of cybercriminals do it?
This article will examine the issues within healthcare and cybersecurity and the specific healthcare cyber threats. We will also try to answer the question, “Health cybersecurity – how can we improve it?”
What do cybercriminals expect to gain from attacking healthcare organizations?
Hackers attempt to breach healthcare cybersecurity for three primary reasons:
- The day-to-day provision of healthcare services is immediately impacted if the supporting technology systems are unavailable. This means that healthcare organizations attacked by ransomware are more likely to quickly pay substantial sums than organizations from different sectors that receive this type of cybersecurity attack.
- Stolen information about patients has a high sales value on the dark web, as it can be used for criminal purposes such as blackmail and insurance fraud, as well as identity theft.
- For a number of reasons, keeping IT security and cybersecurity at the right level to prevent cyber attacks is very challenging. We will explore this more in the next section.
Why is the cyber risk in healthcare so high?
There are many different cyber security issues in healthcare organizations. This is due in part to the fact that the use of technology now underpins so much of modern medicine. It’s not just patient records that need IT security. Medical devices such as X-Ray scanners and infusion pumps have IT components that are vulnerable to cyber-attacks. Patient information and the medical data about them is increasingly stored in the cloud, telehealth relies on external networks to communicate with patients, and an increasing number of devices use the Internet of Things (IoT) as part of a wider health network. Hence cybersecurity is complex as it has to consider a wide range of devices and vulnerabilities.
The small size of many healthcare organizations
For small organizations, the costs of implementing and maintaining healthcare cybersecurity can be very high when compared to other operating costs. This is particularly the case for small community hospitals, independent doctors, independent pharmacists, and small dental practices where cybersecurity is often not seen as a priority. As a result, many do not have the necessary defenses against cyberattacks in place, so the cyber risk in healthcare for these small organizations is much higher than in the rest of healthcare cybersecurity.
Interconnected healthcare organizations
Every healthcare organization is part of a wider health system. Most of them are now connected by technology, including wide-area networks (WAN), shared cloud datastores, common application providers, and of course, email. Because of this interconnected nature of healthcare providers, an attack on a single organization can soon spread to many others.
As an example of the scale of the problem, the American Dental Association reported that in August 2019, hundreds of dental practices were affected by ransomware attacks. The attack started by targeting a provider of dental IT services and soon spread to prevent access to key data.
Healthcare cybersecurity – obsolete systems
Because of the high cost of upgrades, many healthcare organizations are still using old PCs with obsolete operating systems and out-of-date patches. This leaves them wide open to attacks using know vulnerabilities. The 2017 WannaCry ransomware attack on the National Health Service in England disrupted nearly 700 healthcare providers, resulting in the cancellation of over 19,000 patient appointments. There was also a high cost to restore data and repair systems. All of the affected organizations had unpatched or unsupported Windows operating systems that made them susceptible to the ransomware.
Healthcare cybersecurity – uncontrolled devices
Some healthcare organizations have a high usage of contract staff. Many of these bring their own laptops and PDAs with them, presenting a challenge to IT security teams as they have to cope with a complex variety of different operating systems and applications. While they may be able to adopt a standard image for all PCs that they own, it can be very difficult to force this onto contractor’s personal equipment. When the contractor connects their own device to the network, this adds a significant vulnerability, compromising the healthcare cybersecurity of the organization.
Healthcare cybersecurity – embedded technology
Healthcare providers are deploying more and more connected medical devices each day. These now make up three-quarters of all IT devices connected to a hospital’s network. These medical devices are often necessary to sustain the life of the patient. Disabling them, or modifying their functionality, can mean the difference between life or death. Like any digital device, updates are needed to keep them running and safe. Unfortunately, many of them use embedded technology that can be difficult to patch and may contain security vulnerabilities. It is not uncommon for these devices to use very old versions of operating systems that are out of support. The IT security vulnerabilities of these are well known to hackers, leaving the organization at very high risk if the attackers can breach the outer defenses and access these devices.
The list of medical devices that connect to healthcare networks includes using embedded technology includes X-ray machines, patient tracking wristbands, ventilators, infusion pumps, and vital-sign monitors. All of these devices use hospital networks to provide clinicians with important data and information about patients, which they use to make important decisions that can make a difference between life and death.
The DIBR and healthcare
The Verizon Data Breach Investigations Report, or DBIR, is one of the most highly respected and informative annual reports within the security industry. The report for 2020 indicated that there had been a substantial increase in the number of breaches and incidents across all sectors. There had been a 71% increase in breaches or incidents within healthcare over the number recorded for 2019. Cyberattacks from outside the organization caused nearly 50% of all breaches in IT security within healthcare.
Cyber attacks on hospital systems – an example
In 2019 Campbell County Health in Wyoming was the victim of a ransomware cyberattack. This healthcare organization operates a 90-bed acute care hospital and 20 clinics across the county. Once the hackers had breached the healthcare cybersecurity defenses, they encrypted sensitive patient data and medical devices then demanded a ransom to unlock access to them.
All email systems and cash registers were affected. Medical staff had to use pen and paper to document medical conditions and treatments. Because prescription records were inaccessible, incoming patients were asked to bring any medication bottles with them. Many clinical appointments had to be canceled, including those for therapy, radiology, and endocrinology. Patients requiring urgent treatment had to be transferred to hospitals run by other providers, sometimes hundreds of miles.
In an address to the community, The CEO of Campbell County Health said:
“CCH is not the first organization, hospital or otherwise, to be hit with a ransomware attack. Every organization is subject to this type of cybercrime. We were not the first, and, unfortunately, we won’t be the last to experience this. Individuals, as well as organizations, must remain constantly vigilant, at home and at work, in order not to become a victim of this kind of crime. CCH had strong systems in place before the attack, and we have invested in additional measures, but the threat remains for all of us.”
The effect of the 2020/2021 pandemic
The 2020/2021 global pandemic has exacerbated the cyber security issues in healthcare as the number of attacks has increased whilst IT security teams have been hit. In May 2020, Bitdefender Labs reported:
“With healthcare systems under constant strain amid the SARS-CoV-2 global pandemic, hospitals and healthcare facilities around the world have also been hit by a wave of cyberattacks, including ransomware attacks. While officials have already issued warnings that hospitals, governments, and universities may be more conscious about losing data and access to critical systems, Bitdefender telemetry reveals that the number of cyberattacks and ransomware incidents directly targeting healthcare significantly increased over the past couple of months, up 60% in March 2020 from February 2020. This is the highest spike in our global evolution of cyberattacks detected at hospitals reported over the past 12 months, showing that cybercriminals have clearly leveraged the pandemic to launch these campaigns.”
How can we improve healthcare cybersecurity?
The healthcare sector continues to face challenges principally caused by lack of investment in replacing antiquated IT equipment with systems that can be continually kept up to date with security patches, coupled with attracting and training healthcare cybersecurity professionals that can deal with the increasing threats. The cyber risk in healthcare continues to grow at a rapid rate, as has the increase in the use of technology. Arguably cybersecurity within healthcare organizations should provide safeguards to a level that exceeds those of most other industry sectors. But in most cases, it doesn’t, and the healthcare sector is losing ground in its battle against cybercrime.
There is only one way to turn the tide, investment. Making significant financial investments in healthcare cybersecurity, healthcare information technology security, and IT equipment used in healthcare is the only way to tackle the threats from cyber attacks.
To prevent new technology platforms from making the situation worse, each proposed new platform should be examined to weigh the medical benefits provided to patients against the risk and impact of cyberattacks introduced by the platform.
Every industry sector is facing an increasing wave of cybersecurity threats, but none more so than healthcare. Healthcare has suffered from a lack of investment in cybersecurity for many years, but this has to be addressed now. Lives are at stake if this is not done.