The Impact of Cyberattacks on Healthcare

Healthcare cybersecurity: the impact of Cyberattacks on Healthcare

While the COVID-19 pandemic brought much of the world to work together to advance medical research and slow the spread of the disease, it may be of little surprise that cyber threat actors took advantage of the pandemic for their own personal gain. 

While all industries can be affected by a cybersecurity incident, the nature of the health and human services industry’s mission poses unique challenges. 

The combination of strained technology budgets, ample amounts of sensitive information, and the devastating effects that cyber attacks can have on patient care has made the healthcare sector an especially valuable target for cybercriminals.

Worse yet, many organizations in the healthcare sector are simply underprepared to defend their networks against cyber attacks. 

This lack of readiness against cyberattacks is more than an inconvenience or a financial burden; it can impede critical services and put the health and wellbeing of patients at risk by affecting the continuity of care.

The worst part about cyberattacks on medical facilities is that many threat actors are likely very well aware of how their attacks affect the lives of people under the care of the healthcare sector, yet the need to protect human lives is outweighed by the financial gain and other motives.

This article looks at the impact of cybersecurity attacks on the healthcare industry with an overview of high-profile cyber incidents and the types of prevalent attacks against the healthcare industry.

7 Brutal Cybersecurity Attacks Against Healthcare Organizations

NHS Ransomware Attack Encrypts Patient Data

National Health Services ambulance

On May 12, 2017, the UK’s National Health Service was attacked by criminals using the WannaCry ransomware. These ransomware attacks exploited a vulnerability in computers running an old version of Windows without a security update to prevent a remote takeover. 

The malware encrypted the files on the host computers and demanded a $300 payment in Bitcoin. The cybercriminals warned victims that the $300 fee would double after three days, and in 7 days, all encrypted files would be deleted. 

The attack disrupted health services in hospitals across Britain. The NHS canceled approximately 19,000 appointments; radiology sessions, outpatient appointments, and elective admissions. Emergency ambulances were forced to be diverted to unaffected medical facilities.

To date, the WannaCry attack is the most widespread and expensive in NHS history. The NHS lost about £20M due to canceled appointments and spent around £72M on technology to recover data and improve the security of the existing infrastructure. 

Patient Dies After Düsseldorf University Hospital Cyberattacks

Healthcare providers in an operating room

A 2020 article from the BBC covers the first incident where a patient’s death was linked directly to a cyberattack.

In the incident a patient was scheduled to undergo critical treatment at Düsseldorf University Hospital until a ransomware attack disabled the systems that supported their medical devices.

Due to the newly limited capabilities to provide adequate care, the hospital was forced to transfer their patient to another hospital that was 19 miles (30 kilometers) away. The patient tragically died during the transfer.

The incident led German prosecutors to open a homicide investigation to determine if the threat actors could be held responsible for negligent homicide. If successfully prosecuted this could set a precedent for incidents like this one in the future.

United Health Services (UHS) Cyberattack

Yellow police tape that says "Cyber Crime" wrapped in front of a blue digital screen.

During the COVID-19 pandemic-induced global shutdown in 2020, cybercriminals pulled off several successful ransomware attacks on healthcare companies around the world. 

Over 500 healthcare companies reported a data breach or cyberattack during the period, and UHS was one of the primary victims.

The attack compromised critical infrastructure serving over 400 locations within and outside the US. This forced a shutdown to manage the exposure and remove the ransomware from the affected devices. 

Affected hospitals redirected ambulances and relocated people in need of surgery to other facilities nearby. This caused longer patient recovery and increased the risk of fatality. 

After the crisis, UHS posted a loss of $67 million due to the attack. Most of the losses come from the loss of business due to a temporary inability to run at capacity and the additional cost of hiring experts to rescue their systems and implement cybersecurity solutions. 

Premera Blue Cross Phishing Attack

Cybersecurity for Small Businesses with a Limited Budget

Health insurer Premera Blue Cross suffered a data breach in the Spring of 2014, but it was undetected until March 2015. 

When the breach was discovered and damages assessed, the company reported that about 10.4 million customers were affected. 

Names, physical addresses, dates of birth, email addresses, bank account information, Social Security numbers, and health plan clinical information were among the information stolen.

The cybersecurity incident was made possible when cybercriminals used a phishing email to trick an employee into installing malware on a company computer.

The Premera Blue Cross breach was the second largest at the time, and it had the second-biggest HIPAA settlement. In 2020, the firm was ordered to pay $6.85 million to settle a class-action lawsuit. 

The 2019 LifeLabs Data Breach

LifeLabs Data Breach

In October 2019, LifeLabs – Canada’s largest diagnostic test provider – disclosed that they fell victim to a malicious ransomware attack, causing the potential leak of sensitive personal information of 15 million customers. 

The compromised data potentially included names, addresses, emails, passwords, birth dates, health card numbers, and lab test results of LifeLabs customers.

This incident was unfortunately not the first in LifeLabs’ history. In 2013, the medical information of 16,000 LifeLabs patients in Kamloops, British Columbia went missing following the loss of a hard drive. 

For companies, a history of cybersecurity negligence may prove fateful in security compliance investigations.

An audit into the breach by B.C. and Ontario privacy commissioners found that LifeLabs collected more patient health information (PHI) than necessary and lacked adequate security policies and procedures to protect the patient data they were trusted with.

Community Health Systems Malware Attack

The Community Health Systems Malware attack is another sad story in the annals of the most severe cyberattacks on healthcare. 

In 2014, cybercriminals stole sensitive information belonging to 4.5 million customers of CHS. The data collected included social security numbers, patient names, addresses, birthdates, and telephone numbers. 

At the time of the attack, Community Health Systems had 206 hospitals in 29 states. Affected individuals who received treatment at CHS-operated hospitals sued the company for negligence in handling and protecting sensitive patient data. 

In the end, CHS paid $3.1 million to settle the class-action lawsuit along with extensive investment in bolstering their cybersecurity capabilities.

Newfoundland and Labrador Healthcare Sector Cyberattack

Aerial view of Newfoundland

Several security experts believe that the Newfoundland and Labrador healthcare cyberattack is the worst attack in Canada’s healthcare history. 

The cyberattack grounded Newfoundland’s healthcare system on October 30, 2021, disrupting medical appointments for critical and elective procedures. Health workers had to manually process those with emergencies and critical conditions. 

According to the authorities, the attack compromised the health records of virtually every patient in Newfoundland and Labrador. Further investigation revealed that the criminals stole the private details of healthcare providers, potentially compromising their safety. 

Investigators also revealed that the leaked data was unencrypted. This lack of a basic security control is a cause of great concern for patients that need to rely on healthcare facilities to protect their data.

These revelations caused a public and political commotion. It took a prompt response from the department of health to manage the impact of the cyberattack. 

However, the attack caused significant damage to the entire healthcare system, with patients experiencing the worst of it. Affected hospitals canceled the appointments of thousands of Newfoundlanders booked for non-emergency operations, cancer treatment, and diagnostic imaging sessions.

Since the government was tight-lipped on the nature of the attack and the aim of the cybercriminals, observers were unable to estimate the cost of the hack. However, it is clear that the incident disrupted Newfoundland and Labrador’s healthcare system for almost a month and forced the government to increase spending on cybersecurity for hospitals. 

Customer Spotlight: First Choice Health Protects Patient Data With CurrentWare

first choice health Case Study
Access Patrol has made our lives easy. We never have to worry about what may happen when someone plugs a device into our machines. -Nicolas Scheetz (IT Service Desk Supervisor, First Choice Health)
Read the Case Study

5 Alarmingly Prevalent Cyber Threats in Healthcare

Ransomware Attacks

What is Ransomware? How to protect your business
Learn how to protect your healthcare organization against ransomware

Ransomware is a type of malware programmed to restrict a victim’s access to their computer until they pay a ransom. In the case of hospitals, this malicious software restricts access to sensitive patient health data. 

Ransomware can damage a victim’s data files and cause financial loss from paying a ransom, loss of productivity, IT expenditures, legal bills, or network modification.

Cybercriminals use different tactics to deliver malware to target IT systems, including obtaining user credentials to log into enterprise systems using the Remote Desktop Protocol (RDP) and phishing campaigns. 

In the case of Premera Blue Cross, cybercriminals used a phishing email to get the hack tool into the company’s IT infrastructure.

With ransomware, cybercriminals exploit the sensitivity and urgency of healthcare to collect money from victims forcefully. Since healthcare organizations cannot afford to lose patient information due to the high risk of complications, they are prime targets for cybercriminals. 

According to CrowdStrike’s annual threat report, ransomware-related data thefts rose by 82% in 2021, and the company tracked over 50 incidents per week on average. 

Health Care Data Leaks

data leakage prevention - how to protect your data
Learn More: How to Prevent Data Leaks

Sensitive personal details such as personal health information (PHI) are valuable on the dark web. These details can be used to commit identity theft, take out credit cards under the patient’s name, and get expensive medical care in their name.

Even if the threat actors themselves do not use the records for these purposes, they can make up to $1,000 per record by selling the data to other people.

How Healthcare Data Leaks Occur:

  • Cybercriminals gain unauthorized access to IT systems to exfiltrate records
  • Insiders transfer PHI to a portable storage device
  • Lost laptops or portable storage hardware with unencrypted records
  • Accidental disclosure to unauthorized people via misaddressed emails or phishing

Stop Data Theft to Portable Storage Devices

AccessPatrol is a device control software solution that protects sensitive data against theft to portable storage devices.

AccessPatrol keeps data secure by…

  • Preventing users from stealing data or transferring malicious files with easily concealed USB flash drives
  • Maintaining auditable records of file transfers to portable storage devices, and…
  • Triggering real-time alerts when security policies are violated

AccessPatrol’s central console allows you to apply security policies and run reports on your user’s USB activities from the convenience of a web browser. 

The security policies are enforced by a software agent that is installed on your user’s computers. This keeps devices restricted and monitored even when the computers are taken off of the network.

Here’s an overview of AccessPatrol’s key features.

Under Device Permissions you can assign unique device control policies for specific groups of computers or users. 

AccessPatrol controls a variety of peripherals, including…

  • Storage devices such as USB flash drives and external hard drives
  • Wireless Devices such as Bluetooth, Infrared, and WiFi
  • Communication Ports such as Serial and Parallel ports
  • Imaging Devices such as Scanners or Cameras, and…
  • Other Devices such as network share drives, printers, and mobile phones

Under the allowed list you can specify trusted devices that can be used on your computers.

If you need to temporarily lift device restrictions for devices that aren’t on the allowed list, you can use the access code generator.

This allows you to set a time-limited policy exemption for a specific computer. The access code generator does not require internet access to work, making it the ideal solution for travelling users and other special circumstances.

To further protect sensitive data, AccessPatrol allows you to block file transfers based on file names and extensions. This ensures that even allowed devices can’t transfer sensitive data.

AccessPatrol also includes a variety of USB activity reports to help organizations audit data transfers and peripheral device use.

These reports provide insight into…

  • All files that have been copied, created, renamed, or deleted on USB storage devices, and…
  • A timestamped device history for each user, including attempts to use blocked devices

AccessPatrol’s reports can be generated on-demand, on a set schedule, or automatically sent to your inbox to alert you of specific events.

Don’t let a preventable data leak ruin your organization. Take back control over portable storage devices with a free trial of AccessPatrol.

Get started today by visiting CurrentWare.com/Download

If you have any questions during your evaluation our technical support team is available to help you over a phone call, live chat, or email.

Thank you!

USB security software is a critical tool for preventing data breaches to portable storage devices. Start protecting your sensitive data today with a free trial of AccessPatrol, CurrentWare’s USB control software.

Distributed Denial of Service (DDoS)

Diagram of a distributed denial-of-service attack

Distributed Denial of Service (DDoS) attacks are a common yet effective cyber attack used by cybercriminals to overwhelm a network to the point of inoperability. DDoS attacks are executed by sending excessive requests to an online platform to exhaust its bandwidth and cause a slowdown or total shutdown. 

For the health care sector, a DDoS attack may prevent access to critical tools such as services used for appointment scheduling, bed capacity planning, and data sharing. 

Such an incident happened to a Boston Children’s hospital in 2014; the DDoS attack reportedly knocked the Boston Children’s Hospital off the internet alongside several other hospitals in the Longwood Medical Area

The attack did more than take away the hospital’s ability to access its records; it hampered its research capabilities, disrupted communications with other healthcare facilities, and resulted in a loss of ~$300,000 in donations while its fundraising portal was disabled. 

Business Email Compromise and Phishing

Phishing Awareness: How to test your employees - CurrentWare
Learn the best practices for phishing awareness training

Phishing is a social engineering attack whereby a hacker tricks an unsuspecting target into performing a self-harmful action. 

Usually, the hacker poses as a reliable ally when sending the email and asks for a sensitive document, check clearance, money transfer, etc.

Sadly, health care staff are often unprepared to deal with phishing campaigns. 

A 2019 survey of healthcare staff in North America by antivirus company Kaspersky revealed an appalling lack of security awareness training for medical staff; almost a third of the respondents (32%) stated that they had never received cybersecurity training from their workplace. 

Similarly, a 2021 report by Osterman research showed that healthcare employee cybersecurity training needs improvement. Of those polled, 24% of healthcare workers stated that they had not received any security or privacy training from their employers.

Insider Threats

Insider threats - how to protect your data. CurrentWare
Learn More: Top 16 Tips for Preventing Insider Data Theft

This might be the most lethal threat to IT infrastructures and data in any industry. An insider threat would sabotage every effort to secure sensitive data and IT infrastructure. 

The term “insider threat” refers to individuals within the organization that can cause a data breach or system hack through their actions. They are typically sorted into one of two categories: Malicious and negligent.

Negligent insiders are employees that:

  • Fall victim to phishing and social engineering attacks
  • Non-maliciously break company policy to expedite processes
  • Unintentionally share sensitive data with unauthorized recipients (misaddressed emails, oversharing during conversations, etc)
  • Misplace printed documents and data storage devices that contain sensitive information

Malicious insiders are employees that:

  • Sell company IP to competitors for monetary gain
  • Get PHI from company databases and sell it to fraudsters on the internet
  • Are disgruntled and seek to cause damage to their employer by deleting data, breaking equipment, or otherwise sabotaging business processes.

A study by BusinessWire shows that almost three-quarters (74%) of organizations have experienced breaches because of employees breaking security rules.

data theft prevention - a guide to offboarding employees - CurrentWare

The employee offboarding process presents significant data security risks. Employees have intimate access to corporate data, insider knowledge of the organization’s systems, and a level of trust that can allow them to steal data undetected.

  • 70% of intellectual property theft occurs within the 90 days before an employee’s resignation announcement
  • 88% of IT workers have stated that they would take sensitive data with them if they were fired
  • 72% of CEOs admit they’ve taken valuable intellectual property (IP) from a former employer
  • 50% of respondents in a Symantec survey say they have taken information, and 40% say they will use it in their new jobs

These vulnerabilities need to be addressed as part of any insider threat management program. Click here to learn the best practices for protecting data during a termination and gain access to a downloadable IT offboarding checklist.

Conclusion

Healthcare providers need to take addressing cybersecurity vulnerabilities like insider threats, unpatched systems, malicious hackers, and unsecured IoT devices seriously.

The impact of cyberattacks on healthcare organizations is far-reaching and cannot be taken lightly; our hyperconnected world introduces a new reality for the healthcare sector, and they are duty bound to work towards a solution before data breaches occur.

While new tools to address the evolving cybersecurity landscape are beneficial, one thing that healthcare organizations must not lose sight of is the best practices for a foundational cybersecurity strategy.

Critical practices like regular cybersecurity awareness training, monitoring user activity for anomalies, taking and validating backups on a regular basis, restricting data egress points such as portable storage devices, blocking websites, encrypting sensitive records, limiting administrative access as much as possible, performing regular software updates, disabling default admin accounts, and performing regular IT security audits to identify any unaddressed vulnerabilities go a long way to protect the people in their care.


This article was co-written by Joseph Okondu

Dale Strickland
Dale Strickland
Dale Strickland is the Digital Marketing Manager for CurrentWare, a global provider of user activity monitoring, web filtering, and device control software. Dale’s diverse multimedia background allows him the opportunity to produce a variety of content for CurrentWare including blogs, infographics, videos, eBooks, and social media shareables.
Get Your Free Removable Media Policy Template

Get Your Free Removable Media Policy Template

Download this FREE removable media policy template to help protect the sensitive data in your custody.

👉 Set data security standards for portable storage

👉 Define the acceptable use of removable media

👉 Inform your users about their security responsibilities

Here's Your Free Template!

Pin It on Pinterest