‘These are threat-to-life crimes': Hospitals facing rise in ransomware attacks
Vital medical equipment such as CT scanners, MRIs, and heart monitors are increasingly becoming the focus of cybercriminals.
An alarming trend has emerged with 60% of healthcare organizations falling victim to ransomware attacks in the past year. These cyberattacks can seize control of a hospital's operating system, blocking data access until a ransom is paid, and potentially incapacitating hospital systems for days.
John Riggi, the National Advisor for Cybersecurity and Risk at the American Hospital Association, emphasizes, "When hospitals fall under attack, it's a direct threat to human lives. Ransomware is now our primary concern due to its significant impact on patient safety."
Riggi further states, "These aren't just white-collar or data-theft crimes. They're crimes that pose a direct threat to human life."
In November, Anne Wolf experienced a delay in her scheduled open-heart surgery when doctors could no longer access her medical records due to a ransomware attack on Arden Health Services, which manages 30 hospitals across six states.
In a similar incident in August, Prospect Medical Holdings, owner of 170 medical facilities, had to disconnect its national computer systems following a ransomware attack. This led to the cancellation of patient treatments, closure of outpatient facilities, and doctors resorting to pen and paper for patient record-keeping.
In 2016, MedStar Health, a healthcare provider for hundreds of thousands of patients in the D.C. area, was hit by a ransomware attack. This resulted in a shutdown of their computer systems, cancellation of patient appointments, and delays in life-saving treatments like radiation therapy.
Dr. Christian Dameff, an emergency physician and security researcher at the University of California, San Diego, explains, "These crippling attacks essentially incapacitate a hospital network, making it incapable of providing care."
To prepare for potential system blackouts, Dameff's team conducted several simulated ransomware attacks to assess the readiness of doctors and hospitals. The feedback from doctors was alarming, with many admitting they couldn't imagine providing patient care without the aid of connected technology.
The American Hospital Association reports that many hospitals are equipped to operate without any technology for up to 72 hours, and some even up to 96 hours. However, cybersecurity experts argue that this is insufficient and advocate for hospitals to develop procedures to manage a complete technology loss for up to 30 days.
When asked about the progress towards this goal, Riggi admits, "To be honest, we're just getting started."
In response to these threats, hospitals are increasing their cybersecurity budgets, hiring additional staff, and even obtaining ransomware insurance. Despite these efforts, the battle against these invisible threats continues.
Dameff warns, "We can't even begin to comprehend the nature of cybersecurity attacks that we may face in the next five to ten years. It's going to be a constant game of cat-and-mouse, with malicious hackers continually innovating and us playing catch-up."
As the threat to hospitals grows, cybersecurity experts also caution that personal medical devices with Wi-Fi connectivity, such as pacemakers and insulin pumps, could be vulnerable. Although there are no known cases yet, the Food and Drug Administration isn't taking any chances. They've established the Medical Device Cybersecurity Team to safeguard patient safety and help reduce risks.
What Happens During A Cyberattack on Hospitals?
In the event of a cyberattack on a hospital, unauthorized intruders infiltrate hospital databases with two primary objectives: to pilfer valuable data or to wreak significant havoc on internal systems.
Medical records are the most prized assets on the dark web, fetching an average price of $250 per record. Credit card data, while also valuable, pales in comparison with a maximum selling price of just $5. Consequently, even if hackers only manage to steal a small fraction of a hospital's records, the financial gain from such a cyberattack can be substantial.
Another motivation for ransomware attacks on hospitals is to immobilize entire hospital systems or specific critical departments. This often compels medical professionals to revert to traditional methods like pen and paper and rely on their memory for patient medication details. Such a shift drastically slows down medical procedures and frequently results in the delay or cessation of essential treatments such as chemotherapy, transplants, or testing.
The repercussions of system downtime intensify with its duration, particularly for small and mid-sized hospitals. Lacking the maturity to promptly detect threats, these hospitals typically endure an average downtime of 10 hours. Each hour of downtime incurs approximately $45,700 in losses, often driving smaller institutions to declare bankruptcy and cease operations.
FAQ:
Are hospitals susceptible to cyberattacks?
Indeed, the majority of medical devices are not designed with cybersecurity as a priority, making them potential gateways for hackers to infiltrate a hospital's network.
Hospital records, which can fetch up to $250 on the Dark Web, are particularly attractive to cybercriminals. Given the healthcare organizations' reliance on uninterrupted system access, they are often more inclined to pay the demanded ransom without negotiation. Consequently, even small-scale attacks on hospitals can yield substantial profits for malicious entities through the sale of medical records and ransom payments.
How prevalent are cyberattacks on US hospitals?
According to CyberMDX, at least half of US hospitals have been victims of a cyberattack. In 2021, the number of cyberattacks on US hospitals peaked at 679, compromising the data of over 40 million patients. This includes medical reports, personal data, and general medical care maintenance.
While patient PII is the primary target for hackers, nation-state attacks are also common in healthcare. Evidence suggests that cybercriminals from countries like Russia and Vietnam frequently carry out cyberattacks on US hospitals to disrupt medication production or steal cutting-edge research. It's also not uncommon for medical companies to employ hackers to launch cyberattacks on rival hospitals to gain a competitive edge.
Is it common for healthcare facilities to experience cyberattacks?
Yes, and the likelihood of a hospital falling victim to a cyberattack is on the rise. Pew Research recorded at least 168 ransomware attacks on 1,763 hospitals and clinics across the US in 2020 and 2021. However, this figure may be an underestimate as many healthcare businesses choose not to disclose cyberattacks to safeguard their reputation and protect their patients.
Unfortunately, there's little you can do to protect your data in the event of a hospital cyberattack. The onus is on healthcare organizations to implement appropriate security measures to prevent ransomware attacks. However, you can advocate for stronger data protection measures within hospital management.
Can cyberattacks on hospitals result in patient deaths?
While extremely rare, a recent study by the Ponemon Institute found that cyberattacks on hospitals can lead to increased mortality rates due to significant delays in hospital processes. So far, there have been only two reported cases of "death by a cyberattack," one of which occurred in the US.
The severity of this issue is likely to escalate as cyberattacks are projected to surge until at least 2030. To safeguard their databases and patients, hospitals must begin investing in robust cybersecurity measures immediately.
Topic: