Healthcare Cyber Attacks

21.10.2022

Healthcare Cyber Attacks

Cyberattacks in healthcare
Digitization in the healthcare sector is long overdue. It offers numerous opportunities, but also poses some challenges for businesses. For example, it inevitably provides a larger attack surface for cybercrime. Increasingly, unsecured medical devices are being used as a gateway for unauthorized access to hospital networks. However, not only large healthcare providers, but also doctors' offices, outpatient clinics and medical research facilities have been targeted by cyber attacks. Learn what makes healthcare organizations a popular target for cyber attacks and how healthcare organizations can protect themselves from cybercrime.

How widespread are cyber attacks in healthcare?

The 2019 Global Application and Network Security Report from Radware, an international provider of cybersecurity solutions, reveals that healthcare was the second most affected industry by cyber attacks in 2018. About 39 percent of medical businesses were exposed to cyber attacks daily or weekly. Only six percent of businesses said they had never been attacked. Among these, healthcare establishments perceived a significant increase in cyber attacks such as malware and bot attacks, as well as social engineering and DDoS attacks. It is true that the total number of ransomware attacks fell. However, these still hit healthcare the hardest.

Why is healthcare hit so hard by cyber attacks?

Money is one of the factors. Healthcare data is worth more on the darknet than credit card information in some cases. Also, the healthcare sector accounts for about 20 percent of the world's gross domestic product. Ransomware and DDoS attacks pose a serious threat to patients and healthcare providers. With their help, hackers are able to encrypt servers and systems and bring healthcare to a complete standstill. To get the system back up and running, the extortionists demand a ransom, which is often paid due to the serious consequences for healthcare.

After all, in addition to the disclosure of sensitive patient data, not only personal rights but, in the worst case, even people's lives are at risk if critical medical equipment is disabled by cyber attacks. It is not without reason that, as it was mentioned before, healthcare data on the darknet is sometimes traded at a higher price than passwords and credit card information.

Experts believe this could have devastating financial consequences for the healthcare industry over the next five-six years. Consequently, those responsible are required to counter cyber attacks to the best of their ability and to increase IT security in individual companies.

Who bears the responsibility?

Although it is primarily the responsibility of manufacturers to ensure that medical devices provide the highest level of patient safety and have no security gaps and vulnerabilities, the primary responsibility for securing devices ultimately always lies with healthcare providers. So, a lack of knowledge in the workforce puts healthcare workers at high risk for cyber attacks. A survey of healthcare workers in the United States showed that around one-third of participants had never taken training in cybersecurity. In addition, about ten percent of the surveyed healthcare executives lacked any knowledge of their own facility's cybersecurity and policies.

But policymakers are also responsible. Legacy infrastructure and low IT budgets make healthcare a popular target for cyber attacks. There is an urgent need for upgrades here, and that costs money; money that operations don't have. The onus here is on policymakers to provide healthcare providers with the money they need to adapt IT security and patch existing vulnerabilities.

How can cyber attacks be prevented in the healthcare sector?

Investing in good IT security and its improvement is extremely worthwhile, especially for the healthcare sector. For instance, healthcare providers are required to take appropriate cyber security measures to protect patient welfare. These include the use of encrypted databases and authorization of personnel, with specific authority to access sensitive patient data to be defined and employees to be regularly made aware of the dangers of cyber attacks as part of security briefings.

Cybersecurity should not be just an issue for the IT department any more. When technological innovations are also on the rise in healthcare, all those involved must be aware of the dangers of cyber attacks and be able to act quickly and appropriately in the events of emergencies caused by attacks.

To prevent this in the first place in any sphere, including healthcare, it is essential to continuously monitor IoT devices for any threats. Antivirus software and security patches can help. To remain capable of acting in the event of a failure, it is a good idea to always store important content in analog form as well. There are also increasing calls for an independent accreditation body to certify the safety of medical devices.

Medical technology must be protected not only in terms of IT security, but also in terms of application. Therefore, medical devices must be regularly checked for proper functioning.

What is the state of IT security in healthcare?

No industry is immune to cyber threats, but in healthcare the danger is particularly great.

Digital threats to healthcare and critical infrastructure as a whole have been on the rise for years. For example, the U.S. Department of Health and Human Services has issued an alert to the healthcare industry. It cites a new data-erasing malware discovered by ESET researchers called HermeticWiper as an example of an acute risk. 

Hospitals and other healthcare providers in Europe should also be aware of these risks, as they have become an increasingly popular target for attacks and cybercriminals in recent years. A few months ago, the EU's cybersecurity agency ENISA reported that attacks on the healthcare sector increased by nearly 60% in 2020 compared to the previous year.

A recent study even claims that healthcare data thefts can increase the 30-day mortality rate of heart attack victims. A ransomware incident in Germany that became famous, while reportedly indirectly leading to the death of a patient, very clearly demonstrated the impact virtual attacks can have on the real world when they take life-saving systems offline.

It is likely that these risks for healthcare will keep increasing in future, as European countries and healthcare organizations, due to the COVID-19 pandemic, increasing work from home offices and an aging population, are on a digitization drive. Taking steps to improve cyber resilience in the form of improved IT hygiene, better cyber threat detection and cyber incident response, is the path the healthcare sector must take now.

The healthcare sector is an important segment of critical national infrastructures (CRITIS) in Europe. According to recent estimates, it employs nearly 15 million people, or 7% of the workforce. Moreover, healthcare faces broad challenges, which arguably makes it more vulnerable to cyber threats than any other sectors. These include:

• Shortages of IT skills that exist across the industry, but healthcare often cannot compete with the higher salaries paid in other industries.
• The COVID-19 pandemic, which has put unprecedented pressure on healthcare staff, including IT security teams.
• Remote work, which also creates risks for healthcare employees due to distractions, unsecured endpoints and vulnerable/misconfigured remote access infrastructure. 
• Adoption of clouds in healthcare that increase the attack surface. Many organizations in healthcare do not have the internal capabilities to manage and configure these environments securely, or do not understand their shared responsibility for security.
• Complexity of IT systems that has evolved 
• Legacy IT infrastructure in general
• Large volumes of personal and healthcare data and a high cost to meet data protection requirements and regulations.
• IoT devices that are becoming more and more popular, such as for dispensing medications and monitoring patient vital signs. Many of these devices are unpatched and protected only with factory default simple passwords, making them vulnerable to attack.
• Networked devices, which include many legacy devices in medical equipment in hospitals, such as MRI scanners and X-ray machines. With the interconnectivity of these devices comes a risk of remote attacks on healthcare providers. Many of these devices are vital to take offline for patching or have already passed their support deadline.
• Professional cybercriminals, who increasingly see healthcare organizations as easy targets because they are dealing with high numbers of COVID-19 patients. Patient data, which includes highly sensitive information and financial details, is a lucrative commodity for cybercriminals. Ransomware attacks are also more likely to force payment because hospitals cannot afford to be offline for long. Research hospitals may also hold highly sensitive healthcare information about upcoming medical treatments.

What can we learn from cyber attacks?

Over the years, there have been many serious attacks on healthcare organizations from which the industry can learn and improve its resilience.

The UK's National Health Service (NHS) was hit hard by the WannaCry ransomware worm in 2017 because healthcare authorities failed to patch a Windows vulnerability in time. An estimated 19,000 appointments and surgeries had to be canceled. This cost the health service £92 million (£72 million in IT overtime and £20 million in lost production).

The Irish Health Service Executive (HSE) was hit by the Conti ransomware group in 2021 after an employee opened a malware-laced Excel document in a phishing email. The attackers were able to go undetected for over eight weeks until they deployed the ransomware.

Among the lessons learned along the way:

• Antivirus software was set to "monitor" mode so malicious files could not be blocked.
• After discovering suspicious activity on a Microsoft Windows domain controller, it failed to act decisively.
• The antivirus software failed to quarantine malicious files after Cobalt Strike was detected. Cobalt Strike is a tool commonly used by ransomware groups.
• HSE's security team (SecOps) advised a reboot of the server when informed of widespread threats at several hospitals.
• Due to ransomware attacks on French hospitals in Dax and Villefranche-sur-Saone, patients had to be moved to other facilities during the COVID-19 pandemic. Telephone and IT systems had to be shut down and hospital staff had to take their notes with pen on paper.

In the face of increasing pressure, healthcare organizations must find a way to more effectively mitigate cyber risks without breaking the bank or impacting employee productivity. The good news is that many of the best practices from other areas of critical infrastructure, work in the healthcare sector too. These include:

• Get an overview of the attack surface, including all IT assets, their patch status and configuration. A regularly updated configuration management database (CMDB) is useful here to catalog the inventory.
• Also, ensure these assets are properly configured and patched via ongoing, risk-based patch management programs.
• Build a strong line of defense against phishing by educating users on their network. 
• Address supply chain risks through regular audits and monitoring.
• Implement identity and access management with multi-factor authentication (MFA) everywhere and establish a least privilege principle for access.
• Consider protecting their networks using a zero-trust approach. 
• Collect and analyze telemetry data from security tools across the environment for rapid incident detection and response. 

European healthcare organizations must comply with the EU Network and Information Security (NIS) Directive for continuity of services, with the General Data Protection Regulation (for data privacy) and all local laws and regulations. ENISA proposes that dedicated healthcare computer security incident response teams (CSIRTs) be established in each EU member state. In the meantime, however, healthcare organizations must act on their own. Without a secure IT foundation, healthcare will remain at the mercy of malicious threats and attacks.

Find out how we safeguard healthcare organizations against internal risks.

Compliance Personal data ransomware