Cyberattacks in Healthcare: Consequences and Preparation
In late October 2020, federal government officials warned that a group of Russian hackers were planning to attack up to four hundred American hospitals and healthcare providers. Since then, the same hackers have allegedly breached over thirty separate entities, with several hospitals confirming cyber intrusions [1][2]. These attacks are seeing increased use of ransomware, malicious software that threatens to either publish or permanently delete data, unless the target organization pays a ransom [3]. Without the proper defenses, cyberattacks can paralyze a healthcare system, undermining and delaying patient care and other time-sensitive responsibilities. Especially with the greater critical care volume and reliance on telehealth during the COVID-19 pandemic, increased vigilance is necessary.
Ransomware and other cyberattacks have real-world consequences for healthcare providers. At best, targeted providers lose revenue to ransom payments, and their institutional reputation diminishes [5]. While the hackers await their payment, the target entity can become crippled. In the recent string of cyberattacks, targeted hospitals have reported disabled computer systems, diverted ambulances, and delayed surgeries [1]. Such interferences from hackers can lead to reduced quality of care, higher risk of injury, or even death. In a widely publicized case, a German hospital was forced to turn away emergency patients after a cyberattack, which led to the death of a patient due to treatment delays [4]. As healthcare providers work with more patients and adopt new technologies, they will become increasingly vulnerable to hackers.
Nonetheless, providers and administrators can defend against and prepare for cyberattacks. Many cyberattacks succeed when one person makes a mistake. For example, in a phishing attack, an employee types their company credentials into a fake login page, allowing a hacker to access sensitive data. Alternatively, an employee might forget to update their work computer’s operating system. Old software can expose one’s computer—and the rest of the organization—to cyberattacks. Numerous sources, including the FBI and academic researchers, agree that employee training and individual prudence are key factors in averting cyberattacks [3][5][6][8]. Healthcare systems may benefit from training nurses in particular, since nurses frequently interface with patient data and medical records [7]. By training employees periodically, organizations can avert many attempted cyberattacks.
Individual preparedness can only go so far, and organizations can take further steps to prepare. Secure data backups can protect an organization against ransomware, preventing hackers from permanently deleting or sabotaging data [5][6]. Backups can allow providers to continue functioning during a cyberattack, but they do not protect patient data from unauthorized publication. By investing in up-to-date network technologies, an organization can build a robust network infrastructure that is secure by design [5][8]. Ultimately, these initiatives only work when senior management devote attention, planning, and resources to cybersecurity. Yet, across the healthcare industry, cybersecurity constitutes just three percent of the average facility’s IT budget, and just forty percent of C-level executives demonstrate an “in-depth understanding” of cybersecurity [6]. Given the disastrous consequences of a successful cyberattack, an entire organization—especially senior management—must prepare rigorously and extensively.
Hackers attack companies in every industry. Yet, the healthcare industry is built around personal medical information, which is up to 50 times more valuable for hackers than financial information [5]. As a result, every healthcare provider becomes a lucrative target for hackers. Research on and preparation for cyberattacks should be key goals for the healthcare field.
References
[1] Perlroth N. Officials Warn of Cyberattacks on Hospitals as Virus Cases Spike. October 28, 2020. Retrieved November 6, 2020 from https://www.nytimes.com/2020/10/28/us/hospitals-cyberattacks-coronavirus.html.
[2] Alert (AA20-302A): Ransomware Activity Targeting the Healthcare and Public Health Sector. October 28, 2020. Retrieved November 5, 2020 from https://us-cert.cisa.gov/ncas/alerts/aa20-302a.
[3] Scams and Safety: Ransomware. (N.d.) Retrieved November 6, 2020 from https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/ransomware.
[4] Eddy M. and Perloth N. Cyber Attack Suspected in German Woman’s Death. September 18, 2020. Retrieved November 5, 2020 from https://www.nytimes.com/2020/09/18/world/europe/cyber-attack-germany-ransomeware-death.html.
[5] Kruse C. S., et al. Cybersecurity in Healthcare: A Systematic Review of Modern Threats and Trends. Technology and Health Care 2017; 25. DOI:10.3233/THC-161263.
[6] Abraham C., Chatterjee D., and Sims R. R. Muddling through Cybersecurity: Insights from the U.S. Healthcare Industry. Business Horizons 2019; 62. DOI:10.1016/j.bushor.2019.03.010.
[7] Kamerer J. L. and McDermott D. Cybersecurity: Nurses on the Front Line of Prevention and Education. Journal of Nursing Regulation 2020; 10: 4. DOI:10.1016/S2155-8256(20)30014-4.
[8] Alami H., et al. Digital Health: Cybersecurity Is a Value Creation Lever, Not Only a Source of Expenditure. Health Policy and Technology 2019; 8. DOI:10.1016/j.hlpt.2019.09.002.
