Cyberattacks continue to plague the healthcare sector. During the first half of 2023, health system cyberattacks have impacted more than 36 million people compared to 44 million in 2022. The attacks on this vulnerable industry are worsening at a frightful pace. In recent weeks, John Riggi, National Advisor for Cybersecurity and Risk for the American Hospital Association, has reported an increase in high-impact ransomware events. Moreover, IT leaders say more circumstances impacting patient care include canceled procedures and surgeries, unavailable test results, ambulance diversions for emergency care, and the need to shut down systems that expose patients to harm.
The US healthcare industry is consistently a prime target for cyberattacks. Stolen medical records give hackers vast amounts of valuable information. Gaining access to names, birth dates, addresses, and Social Security numbers is like winning the lottery for cybercriminals. In addition, the healthcare industry makes itself even more appealing by prioritizing its investments in operations and medical equipment over funding cybersecurity. Together, these result in system vulnerability and an opportunity for cyber criminals to easily pick that enticing and accessible “low-hanging fruit.”
Five common types of cyberattacks and their impacts on patients, providers, payers, researchers, and others are defined below.
Phishing is sending fraudulent emails that appear to come from legitimate sources, such as hospitals, health insurance companies, or government agencies. The goal is to trick recipients into clicking on malicious links and attachments or providing personal or financial information.
Ransomware is malware that encrypts the target’s data or systems and demands a ransom for the decryption key. Ransomware can cause significant disruption and damage. Healthcare organizations may lose access to critical patient records, medical devices, or network services, causing substantial trouble and risk.
Data breaches involve the unauthorized access or disclosure of sensitive data, such as patient records, research data, or financial information. Data breaches can have serious consequences for healthcare organizations, including legal liabilities, regulatory fines, reputational damage, and loss of trust. Data breaches can result from cyberattacks, insider threats, human errors, or system failures.
Malware is used for any malicious software that can harm systems or data with viruses, worms, trojans, spyware, adware, rootkits, and more. Various means, such as phishing emails, removable media, and web downloads, can be used to infect healthcare network vulnerabilities.
Distributed Denial of Service (DDoS) attacks aim to overwhelm systems with a large volume of traffic or requests, which can disrupt the availability and performance of healthcare websites, applications, or telehealth platforms. DDoS attacks can also be a diversionary tactic to hide other malicious activities.
As hackers disrupt healthcare operations and compromise patient care, it is a fact that healthcare workers can unknowingly contribute to a cyber event through their actions or inactions. Yes, human error fuels risk, and risk compromises security. For example, workers who access organizational systems or data from remote locations can create opportunities for cyberattacks if they do not use secure connections, devices, or passwords.
Remote healthcare workers might be more vulnerable to phishing emails, malware, or device loss. Healthcare workers who interact directly with third-party vendors may create exposure to cyberattacks if they do not verify the identity and security of the vendors. Third-party vendors could have access to sensitive data or systems that might become compromised by hackers or malicious insiders. Vendors certainly can unknowingly introduce vulnerabilities into the organizational network or devices.
Finally, healthcare workers who need to be trained or are unaware of their organization’s cybersecurity policies and best practices may create exposure to cyberattacks. Unaware workers might use weak or shared passwords, click on suspicious links or attachments, download unauthorized software or applications, or disclose confidential information to unauthorized parties. To reduce the chances of exposure, healthcare organizations should implement comprehensive and continuous cybersecurity training programs for their workers and strict security policies and controls for remote access and third-party vendors.
Cyberattacks on healthcare can have severe and potentially fatal consequences. To prevent or mitigate the impacts listed here, healthcare organizations should implement robust cybersecurity measures and practices, such as conducting risk assessments, updating software and systems, training staff, encrypting data, and backing up data.
Cyberattacks can prevent or hinder healthcare workers from accessing electronic health records, diagnostic tools, communication systems, or medical devices essential for providing timely and quality patient care. For example, cyberattacks can cause ambulance diversions, cancel surgeries, interrupt radiation treatments, or disable life-support machines.
Cyberattacks can increase the risk of death for patients affected by the disruption or delay of care. According to a study by the Cybersecurity and Infrastructure Security Agency (CISA), hospitals that experienced cyber events were also more likely to experience hospital strain, worse health outcomes, and increased mortality.
Cyberattacks can expose or steal sensitive patient data. Theft of a patient’s medical history, personal information, financial details, or insurance information can lead to hardships, including identity theft, fraud, blackmail, or discrimination against affected patients.
Cyberattacks can result in significant financial losses for healthcare organizations because of ransom payments, recovery costs, legal fees, regulatory fines, or lost revenue.
Healthcare cybersecurity matters more than ever in 2023. The healthcare sector faces many obstacles as it strengthens its cyber defenses and positioning. These barriers include inadequate resources, staff, training, and awareness. Also, the complexity and diversity of the sector, the regulatory landscape, and legacy systems all contribute to the challenge of maintaining a safe and cyber-secure environment. Healthcare organizations must embrace a cybersecurity strategy that covers all operations and represents all stakeholders, with the support that starts with executive leadership and the board of directors.