While the COVID-19 pandemic brought much of the world to work together to advance medical research and slow the spread of the disease, it may be of little surprise that cyber threat actors took advantage of the pandemic for their own personal gain.
While all industries can be affected by a cybersecurity incident, the nature of the health and human services industry’s mission poses unique challenges.
The combination of strained technology budgets, ample amounts of sensitive information, and the devastating effects that cyber attacks can have on patient care has made the healthcare sector an especially valuable target for cybercriminals.
Worse yet, many organizations in the healthcare sector are simply underprepared to defend their networks against cyber attacks.
This lack of readiness against cyberattacks is more than an inconvenience or a financial burden; it can impede critical services and put the health and wellbeing of patients at risk by affecting the continuity of care.
The worst part about cyberattacks on medical facilities is that many threat actors are likely very well aware of how their attacks affect the lives of people under the care of the healthcare sector, yet the need to protect human lives is outweighed by the financial gain and other motives.
This article looks at the impact of cybersecurity attacks on the healthcare industry with an overview of high-profile cyber incidents and the types of prevalent attacks against the healthcare industry.
On May 12, 2017, the UK’s National Health Service was attacked by criminals using the WannaCry ransomware. These ransomware attacks exploited a vulnerability in computers running an old version of Windows without a security update to prevent a remote takeover.
The malware encrypted the files on the host computers and demanded a $300 payment in Bitcoin. The cybercriminals warned victims that the $300 fee would double after three days, and in 7 days, all encrypted files would be deleted.
The attack disrupted health services in hospitals across Britain. The NHS canceled approximately 19,000 appointments; radiology sessions, outpatient appointments, and elective admissions. Emergency ambulances were forced to be diverted to unaffected medical facilities.
To date, the WannaCry attack is the most widespread and expensive in NHS history. The NHS lost about £20M due to canceled appointments and spent around £72M on technology to recover data and improve the security of the existing infrastructure.
A 2020 article from the BBC covers the first incident where a patient’s death was linked directly to a cyberattack.
In the incident a patient was scheduled to undergo critical treatment at Düsseldorf University Hospital until a ransomware attack disabled the systems that supported their medical devices.
Due to the newly limited capabilities to provide adequate care, the hospital was forced to transfer their patient to another hospital that was 19 miles (30 kilometers) away. The patient tragically died during the transfer.
The incident led German prosecutors to open a homicide investigation to determine if the threat actors could be held responsible for negligent homicide. If successfully prosecuted this could set a precedent for incidents like this one in the future.
During the COVID-19 pandemic-induced global shutdown in 2020, cybercriminals pulled off several successful ransomware attacks on healthcare companies around the world.
Over 500 healthcare companies reported a data breach or cyberattack during the period, and UHS was one of the primary victims.
The attack compromised critical infrastructure serving over 400 locations within and outside the US. This forced a shutdown to manage the exposure and remove the ransomware from the affected devices.
Affected hospitals redirected ambulances and relocated people in need of surgery to other facilities nearby. This caused longer patient recovery and increased the risk of fatality.
After the crisis, UHS posted a loss of $67 million due to the attack. Most of the losses come from the loss of business due to a temporary inability to run at capacity and the additional cost of hiring experts to rescue their systems and implement cybersecurity solutions.
Health insurer Premera Blue Cross suffered a data breach in the Spring of 2014, but it was undetected until March 2015.
When the breach was discovered and damages assessed, the company reported that about 10.4 million customers were affected.
Names, physical addresses, dates of birth, email addresses, bank account information, Social Security numbers, and health plan clinical information were among the information stolen.
The cybersecurity incident was made possible when cybercriminals used a phishing email to trick an employee into installing malware on a company computer.
The Premera Blue Cross breach was the second largest at the time, and it had the second-biggest HIPAA settlement. In 2020, the firm was ordered to pay $6.85 million to settle a class-action lawsuit.
In October 2019, LifeLabs – Canada’s largest diagnostic test provider – disclosed that they fell victim to a malicious ransomware attack, causing the potential leak of sensitive personal information of 15 million customers.
The compromised data potentially included names, addresses, emails, passwords, birth dates, health card numbers, and lab test results of LifeLabs customers.
This incident was unfortunately not the first in LifeLabs’ history. In 2013, the medical information of 16,000 LifeLabs patients in Kamloops, British Columbia went missing following the loss of a hard drive.
For companies, a history of cybersecurity negligence may prove fateful in security compliance investigations.
An audit into the breach by B.C. and Ontario privacy commissioners found that LifeLabs collected more patient health information (PHI) than necessary and lacked adequate security policies and procedures to protect the patient data they were trusted with.
The Community Health Systems Malware attack is another sad story in the annals of the most severe cyberattacks on healthcare.
In 2014, cybercriminals stole sensitive information belonging to 4.5 million customers of CHS. The data collected included social security numbers, patient names, addresses, birthdates, and telephone numbers.
At the time of the attack, Community Health Systems had 206 hospitals in 29 states. Affected individuals who received treatment at CHS-operated hospitals sued the company for negligence in handling and protecting sensitive patient data.
In the end, CHS paid $3.1 million to settle the class-action lawsuit along with extensive investment in bolstering their cybersecurity capabilities.
Several security experts believe that the Newfoundland and Labrador healthcare cyberattack is the worst attack in Canada’s healthcare history.
The cyberattack grounded Newfoundland’s healthcare system on October 30, 2021, disrupting medical appointments for critical and elective procedures. Health workers had to manually process those with emergencies and critical conditions.
According to the authorities, the attack compromised the health records of virtually every patient in Newfoundland and Labrador. Further investigation revealed that the criminals stole the private details of healthcare providers, potentially compromising their safety.
Investigators also revealed that the leaked data was unencrypted. This lack of a basic security control is a cause of great concern for patients that need to rely on healthcare facilities to protect their data.
These revelations caused a public and political commotion. It took a prompt response from the department of health to manage the impact of the cyberattack.
However, the attack caused significant damage to the entire healthcare system, with patients experiencing the worst of it. Affected hospitals canceled the appointments of thousands of Newfoundlanders booked for non-emergency operations, cancer treatment, and diagnostic imaging sessions.
Since the government was tight-lipped on the nature of the attack and the aim of the cybercriminals, observers were unable to estimate the cost of the hack. However, it is clear that the incident disrupted Newfoundland and Labrador’s healthcare system for almost a month and forced the government to increase spending on cybersecurity for hospitals.
Ransomware is a type of malware programmed to restrict a victim’s access to their computer until they pay a ransom. In the case of hospitals, this malicious software restricts access to sensitive patient health data.
Ransomware can damage a victim’s data files and cause financial loss from paying a ransom, loss of productivity, IT expenditures, legal bills, or network modification.
Cybercriminals use different tactics to deliver malware to target IT systems, including obtaining user credentials to log into enterprise systems using the Remote Desktop Protocol (RDP) and phishing campaigns.
In the case of Premera Blue Cross, cybercriminals used a phishing email to get the hack tool into the company’s IT infrastructure.
With ransomware, cybercriminals exploit the sensitivity and urgency of healthcare to collect money from victims forcefully. Since healthcare organizations cannot afford to lose patient information due to the high risk of complications, they are prime targets for cybercriminals.
According to CrowdStrike’s annual threat report, ransomware-related data thefts rose by 82% in 2021, and the company tracked over 50 incidents per week on average.
Sensitive personal details such as personal health information (PHI) are valuable on the dark web. These details can be used to commit identity theft, take out credit cards under the patient’s name, and get expensive medical care in their name.
Even if the threat actors themselves do not use the records for these purposes, they can make up to $1,000 per record by selling the data to other people.
How Healthcare Data Leaks Occur:
USB security software is a critical tool for preventing data breaches to portable storage devices. Start protecting your sensitive data today with a free trial of AccessPatrol, CurrentWare’s USB control software.
Distributed Denial of Service (DDoS) attacks are a common yet effective cyber attack used by cybercriminals to overwhelm a network to the point of inoperability. DDoS attacks are executed by sending excessive requests to an online platform to exhaust its bandwidth and cause a slowdown or total shutdown.
For the health care sector, a DDoS attack may prevent access to critical tools such as services used for appointment scheduling, bed capacity planning, and data sharing.
Such an incident happened to a Boston Children’s hospital in 2014; the DDoS attack reportedly knocked the Boston Children’s Hospital off the internet alongside several other hospitals in the Longwood Medical Area
The attack did more than take away the hospital’s ability to access its records; it hampered its research capabilities, disrupted communications with other healthcare facilities, and resulted in a loss of ~$300,000 in donations while its fundraising portal was disabled.
Phishing is a social engineering attack whereby a hacker tricks an unsuspecting target into performing a self-harmful action.
Usually, the hacker poses as a reliable ally when sending the email and asks for a sensitive document, check clearance, money transfer, etc.
Sadly, health care staff are often unprepared to deal with phishing campaigns.
A 2019 survey of healthcare staff in North America by antivirus company Kaspersky revealed an appalling lack of security awareness training for medical staff; almost a third of the respondents (32%) stated that they had never received cybersecurity training from their workplace.
Similarly, a 2021 report by Osterman research showed that healthcare employee cybersecurity training needs improvement. Of those polled, 24% of healthcare workers stated that they had not received any security or privacy training from their employers.
This might be the most lethal threat to IT infrastructures and data in any industry. An insider threat would sabotage every effort to secure sensitive data and IT infrastructure.
The term “insider threat” refers to individuals within the organization that can cause a data breach or system hack through their actions. They are typically sorted into one of two categories: Malicious and negligent.
Negligent insiders are employees that:
Malicious insiders are employees that:
A study by BusinessWire shows that almost three-quarters (74%) of organizations have experienced breaches because of employees breaking security rules.
The employee offboarding process presents significant data security risks. Employees have intimate access to corporate data, insider knowledge of the organization’s systems, and a level of trust that can allow them to steal data undetected.
These vulnerabilities need to be addressed as part of any insider threat management program. Click the button below to learn the best practices for protecting data during a termination and gain access to a downloadable IT offboarding checklist.
Healthcare providers need to take addressing cybersecurity vulnerabilities like insider threats, unpatched systems, malicious hackers, and unsecured IoT devices seriously.
The impact of cyberattacks on healthcare organizations is far-reaching and cannot be taken lightly; our hyperconnected world introduces a new reality for the healthcare sector, and they are duty bound to work towards a solution before data breaches occur.
While new tools to address the evolving cybersecurity landscape are beneficial, one thing that healthcare organizations must not lose sight of is the best practices for a foundational cybersecurity strategy.
Critical practices like regular cybersecurity awareness training, monitoring user activity for anomalies, taking and validating backups on a regular basis, restricting data egress points such as portable storage devices, blocking websites, encrypting sensitive records, limiting administrative access as much as possible, performing regular software updates, disabling default admin accounts, and performing regular IT security audits to identify any unaddressed vulnerabilities go a long way to protect the people in their care.
This article was co-written by Joseph Okondu