Danger & Opportunity | Healthcare’s Cyber Crisis

Healthcare’s Cyber Crisis

Alarming Increase of Ransomware Attacks

Ransomware hacks, in which attackers encrypt computer networks and demand payment to make them functional again, have been a growing concern for both the private and public sector since the 90s. But they can be particularly devastating in the healthcare industry, where even minutes of downtime can have deadly consequences and have become ominously frequent.

The number of ransomware attacks on healthcare organizations increased 94% from 2021 to 2022, according to a report from the cybersecurity firm Sophos. More than two-thirds of healthcare organizations in the US said they had experienced a ransomware attack in 2022, the study said, up from 34% in 2021. Ransomware attacks on healthcare are particularly common in the US, with 41% of such attacks globally having been carried out against US-based firms in 2022.

Devastating Consequences

Ransomware hacks have caused major healthcare disruptions, including delayed chemotherapy treatments and ambulances being diverted from a San Diego emergency room after computer systems were frozen. In 2022, a lawsuit filed by the mother of a baby who died in Alabama alleged the first “death by ransomware”, blaming a 2020 hack of a hospital for fatal brain damage of the newborn after heart rate monitors failed.

The possibly devastating consequences for medical facilities may be one of the reasons hackers have identified them as a high-profile target. “The North Korean state-sponsored cyber actors likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health,” said an advisory from Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).

CISA and others advise hospitals against paying ransoms, but providers often feel they have no choice, said Barak. In 2022, 61% of healthcare organizations that suffered a ransomware attack paid the ransom – the highest percentage of any industry sector.

Ever Increasing Threats

In the recent past, many attacks have been carried out by private groups of criminals, experts say: in the third quarter of 2022, 30% of ransomware attacks on healthcare entities were carried out by Conti, a crime syndicate thought to be based in Russia. But more recently, nation states have preyed upon the healthcare industry’s vulnerabilities including North Korea and Iran.

The North Korea incident revealed last week is just the latest state actor to orchestrate ransomware attacks on health care organizations after the FBI revealed in June it had thwarted an attack from Iran on a Boston Children’s hospital.

Healthcare’s Unique Vulnerability

The healthcare industry has been hit by a perfect storm of factors that have escalated the ransomware problem, experts say: patient information is increasingly being digitized as hospitals struggle with small internet security budgets.

In 2009, the Obama administration passed a bill requiring all public and private healthcare providers to adopt electronic medical records by 2014, resulting in a massive migration of paper patient records to online systems. But today, just 4% of the average healthcare provider’s annual IT budget is focused on cybersecurity.

A National Security Threat

Legislators are attempting to fill in those gaps. In May, Senator Patty Murray of Washington led a hearing on strengthening cybersecurity in the healthcare and education sectors, saying that the US “needs to address cybersecurity attacks and ensure they are treated like the national security threat they are”.

In March 2022 the Senate introduced a bipartisan bill called the Healthcare Cybersecurity Act, which would direct CISA and the Department of Health and Human Services (HHS) to collaborate on a plan to bolster cybersecurity measures among healthcare and public health organizations.

Help Is On The Way

The state of Oregon also has legislation pending to provide funding for cyber security. Additionally, Oregon community colleges and universities are developing cyber security curriculum for a new generation of cyber security professionals.

If you’d like to learn how to protect your company with elite cybersecurity, please click on the link below to fill out our short, free cybersecurity questionnaire. Your input will give us a baseline to generate a cybersecurity program unique to your organization: