By Dr. Darren Williams
There’s always a certain sense of outrage around cyberattacks, but few provoke as much ill-feeling as those targeting the healthcare sector. It doesn’t get much lower than threatening the privacy of medical patients or even putting their health at risk.
Unfortunately, many criminal gangs are not only happy to sink so low, but it’s a core part of their business model. Threatening the well-being of patients makes for a powerful bargaining chip in causing disruption and getting healthcare providers to pay up for blackmail demands.
These tactics seem to be paying off, as we see an escalating number of attacks targeting hospitals and other providers to the healthcare sector; the European Repository of Cyber Incidents recorded a 278% increase in incidents from 2022-23. We have also found that the healthcare industry experienced the highest number of ransomware attacks across all sectors for three consecutive months this year.
Beyond the financial and operational ramifications, these attacks also take a human toll, impacting patients as well as the medical practitioners and administrators who are faced with picking up the pieces following an incident. When the stakes are this high, stronger cybersecurity measures across the sector are more important than ever.
Impact on patient wellbeing
The most obvious impact of a cyberattack on the healthcare sector is the disruption to frontline patient care. A joint study between RUSI and Kent University found that serious ransomware incidents can have catastrophic consequences, even resulting in potentially life-threatening delays to patients’ treatment. Research from CISA has also found that diversions due to cyber incidents can decrease both survivability and recovery rates.
In the UK, the Qilin attack on pathology service provider Synnovis in June led to the cancellation of over 3,000 hospital and GP appointments across the NHS, directly disrupting vital services such as blood transfusions and diagnostic tests.
Additionally, ransomware attacks frequently impact systems managing patient data and appointment scheduling, leading to confusion and errors in patient management. Cancelled appointments must be rebooked into an often-overburdened healthcare system, further threatening patient safety and causing added stress.
Healthcare workers suffer too
Alongside the direct impact on treatment, these disruptions also cause significant frustration and distress for healthcare workers.
When digital systems are compromised clinicians and administrators are forced to work under even further pressure, managing patient care manually or using temporary workarounds. Reports have found staff suffering from insomnia and PTSD-like symptoms in the wake of major incidents. This added strain can lead to burnout, reduced morale, and a decline in the quality of care. With healthcare systems already feeling the pressure, this additional stress is keenly felt.
Many data breaches also involve the theft of employee data alongside patient records, so healthcare workers may also face anxiety and frustration due to the potential exposure of their personal information as a result of these incidents.
The long-term harm to patient trust
Beyond the immediate operational disruption, ransomware attacks can cause lasting damage to public trust in healthcare systems when personal data is exposed, exposing victims to further risk, from identity theft, fraud or even direct blackmail attempts. With attackers now routinely combining encryption and data exfiltration, in a tactic known as double extortion, the risks of sensitive records falling into criminals’ hands are multiplying.
In one such case, Change Healthcare in the US, fell victim to a ransomware attack by a group known as ALPHV / BlackCat which threatened to publish an unprecedented 6TB of data on the darknet unless a $22m ransom was met. And with individual records selling for around $50 each on darknet forums, attacks can provide an extremely lucrative income for criminal groups alongside their ransomware demands.
Some threat actors have even used sensitive medical data in order to attempt to extort patients directly, as seen when notorious Finnish cybercriminal Julius Kivimäki attempted to blackmail 33,000 patients of psychotherapy company Vastaamo.
Treating the causes of healthcare cyberattacks
Alongside stores of valuable highly personal data, cybercriminals know that organisations in the health sector typically struggle with under-funding, and this makes them a particularly vulnerable target. Many healthcare providers lack the budget or bandwidth to update ageing legacy systems, leaving them with an IT environment which is riddled with outdated and vulnerable assets. Healthcare security is further complicated by the large number of contractors and third-party service providers constantly connecting online and on-site.
In lieu of a complete infrastructure overhaul, healthcare providers must focus on mitigating the impact of attacks. Tightening system access can be particularly impactful, and identity-based security measures such as multifactor authentication and least privilege access policies will ensure that only authorised personnel can access sensitive information. Adopting a Zero Trust approach, where every user, device and connection are presumed compromised until verified, will deliver even greater results. Identity controls like Zero Trust are also a strong fit with regulations covering the healthcare sector such as NIS2.
Stopping the symptoms from spreading
It’s impossible to be totally immune to a security breach, so healthcare providers must also be equipped to limit the impact when an incident does occur.
Endpoint detection and response (EDR) is essential in identifying unusual system activity as soon as possible. Next-generation firewalls add further security by enforcing identity-based policies in a more dynamic way than traditional manual methods of inspecting connections by port ID and IP address.
Additionally, anti data exfiltration (ADX) solutions are crucial in preventing sensitive data from being exfiltrated during an attack. This ensures that organisations do not have to deal with the protracted pain of data leaks stretching out months after the initial breach.
As such, healthcare providers must also focus on securing their external partnerships. This requires rigorous vetting of vendors’ security practices and continuous monitoring of their systems. Any identity and access management measures must apply equally to all third-party connections.
With attackers intent on stealing sensitive data and disrupting patient care, the human cost of healthcare cyberattacks is already massive, and it’s only going to increase. Protecting the well-being of patients and personnel demands strategies and tools that will mitigate the disruptive impact of ransomware and keep personal data out of the hands of ruthless criminal groups.