Healthcare's Cybersecurity Dilemma: A Troubling Trend

Introduction

The healthcare industry is increasingly becoming a prime target for cyber criminals. Adversaries seek to exploit vulnerabilities in the healthcare industry and wreak havoc. The following article explores recent critical healthcare cyberattacks, explaining why the healthcare sector remains a prime target, and ways to protect yourself.

Selected Cybersecurity Case Studies in Healthcare

1.????? London’s NHS Cyber Attack – May/June 2024 (UK)

In a chilling example of the rising threat of cyberattacks, a major ransomware incident has caused widespread disruption at several hospitals run by the National Health Service (NHS) Trust in London (1).

The attack, believed to be orchestrated by the Russian hacking group Qilin, has left healthcare professionals scrambling to maintain critical services. Synnovis, a provider of essential lab services, was the initial target, with the attackers inserting malicious software into the company's IT systems, rendering them unusable (2).

The consequences have been severe, with hospitals forced to cancel procedures and redirect patients to other NHS facilities. A 70-year-old patient had their operation canceled, while a baby's kidney transplant was also postponed. This is a harsh reminder of the very real human toll that cyberattacks can take (2).

Ciaran Martin, the former chief of the UK's National Cyber Security Centre, has called this a "very, very serious incident" (2). Qilin, the group behind the attack, has a history of targeting organizations across the globe, including automotive companies, the Australian court system, and even the Big Issue, a publication supporting the homeless in the UK (2).

2.??? MediSecure – May 2024 (AU)

MediSecure, a provider of electronic prescription services in Australia, fell victim to a large-scale ransomware attack that is currently under investigation by the Australian Federal Police (3). A member of a Russian hacking forum claims to possess 6.5 terabytes of data, including insurance numbers, names, addresses, and other personal and financial details of thousands of Australians, which they are offering for sale at a price of $US50,000 (3).

The potential exposure of such vast amounts of sensitive medical information poses significant risks to individuals and highlights the urgent need for comprehensive cybersecurity strategies across the healthcare sector. It is crucial for healthcare organizations to remain vigilant and proactive in addressing cyber threats to protect patient data and preserve the integrity of the healthcare system.

Australia's national cybersecurity coordinator, Lieutenant General Michelle McGuinness, is collaborating with federal government agencies and states and territories to respond to this incident (3). Additionally, the Australian information commissioner is investigating whether MediSecure fulfilled its obligations under federal laws regarding data breach notifications (4).

3.????? Ascension – May 2024 (USA)

A recent cyberattack caused a disruption to clinical operations at Ascension, a major health care nonprofit in the United States, necessitating immediate action to minimize any impact on patient care. Ascension, which comprises 140 hospitals and 40 senior living facilities across 19 states, is actively assessing the scope and duration of the disruption while working to ensure patient safety and minimal disruption to care (5).

Unusual activity was detected on Ascension's computer systems, prompting a thorough investigation and notification to the appropriate authorities. As a precautionary measure, Ascension has advised its health care clients to temporarily sever network connections while the incident is being addressed (5).

While Ascension initiated procedures to maintain safe patient care delivery, the nonprofit remained committed to transparency if sensitive patient data were compromised. In such cases, affected individuals would be notified promptly. Further details regarding the nature of the incident, including whether it involved ransomware, were yet to be disclosed. The healthcare industry in the United States has experienced a surge in ransomware attacks in recent years, causing disruptions to patient care and significant financial losses for health care providers (5).

4.????? UnitedHealth’s Change Healthcare – Feb 2024 (USA)

UnitedHealth Group, the largest health insurer in the United States, revealed that hackers stole health and personal data from its systems in February, potentially impacting a substantial proportion of Americans. The breach occurred at its subsidiary, Change Healthcare, which processes approximately 50% of medical claims in the country. The incident ranks among the most severe cyberattacks in the American healthcare sector, causing significant disruptions in payment to doctors and healthcare facilities (6).

Despite UnitedHealth Group making a ransom payment of $US22 million, the breach still occurred (6). The compromised data contained protected health information and personally identifiable information (PII), which could potentially impact a significant number of individuals in the United States, according to an initial review. UnitedHealth Group emphasized its commitment to protecting patient data and has been collaborating with law enforcement and leading cybersecurity firms throughout the investigation (6).

5. ???? St. Vincent’s Health Australia – Dec 2023 (AU)

In a troubling disclosure, St. Vincent's Health Australia, the country’s largest not-for-profit health and aged care provider, confirmed that cybercriminals had stolen some of their data, despite the organization's immediate efforts to contain the incident and engage external security experts (7).

The attack was particularly concerning given the sensitive nature of the data held by healthcare providers and the potential impact on patient care and safety. As the acting national cyber security coordinator, Hamish Hansford, emphasized, the priority was ensuring the "health and safety of patients, residents and people, and the continuity of services for the community" (7).

Why the Healthcare Sector?

As the world has become increasingly reliant on digital technology, the scourge of ransomware has only grown more prevalent. Experts estimate there are 1.7 million ransomware attacks every day, with the annual global cost projected to reach a staggering $265 billion by 2031 (8).

According to research, nearly a quarter (23%) of all healthcare devices, particularly those used in imaging and surgery, have known security vulnerabilities that could easily be exploited by cybercriminals. Additionally, as many as 22% of hospitals connect their medical devices to guest WiFi networks, which are typically insecure. This practice potentially paves the way for hackers to access confidential patient data easily (8).

The study further indicates that 14% of medical equipment relies on outdated, unsupported operating systems. Since these legacy systems are no longer supported by the original vendors, they do not receive crucial software or security updates (8). These systems pose a significant concern, behaving much like untreated time bombs waiting to explode.

Specifically, the healthcare industry has become a prime target for cyber-attacks because of:

Valuable Data

Healthcare organizations hold a treasure trove of highly personally identifiable information (PII) and valuable data. The data includes patient records, financial information, and proprietary research data. The data is extremely lucrative on the black market, making healthcare organizations attractive targets for data breaches and cyber-attacks.

Outdated Infrastructure

Many healthcare facilities operate on legacy systems and outdated technology that are ill-equipped to withstand modern cyber threats. Cyberthreats become more advanced every day, making it possible for adversaries to exploit vulnerabilities in outdated tech infrastructure in hospitals. Tight budgets and the need to prioritize patient care often result in cybersecurity being overlooked or underfunded.

Remote Work and Telehealth

The rapid shift to remote work and the increased reliance on telehealth services during the pandemic have expanded the attack surface for cybercriminals. Unsecured home networks and devices used by healthcare workers create new vulnerabilities that bad actors can exploit. In addition, sharing computers and other tools of work at home increases the attack surface on healthcare.

Heightened Disruption Potential

Successful attacks on healthcare organizations can have devastating consequences, including the disruption of critical medical services, the exposure of sensitive patient data, and the potential for loss of life. This makes the healthcare sector an attractive target for ransomware groups and nation-state actors seeking maximum impact.

Lack of Cybersecurity Awareness

Many healthcare professionals lack cybersecurity awareness, which can be attributed to a combination of competing priorities, technical complexity, siloed responsibilities, inadequate training, complacency, organizational culture, and workforce challenges. Healthcare professionals are primarily focused on patient care, often relegating cybersecurity to a lower priority, compounded by the technical nature of the subject matter and a perception that it is solely the responsibility of the IT department. Limited training, a false sense of security, and a culture that fails to emphasize the critical importance of cybersecurity further exacerbate the issue.

How to Prevent the Attacks in Healthcare

The consequences of cyber-attacks on healthcare are far-reaching, compromising patient health and safety, eroding public trust, and inflicting significant financial and reputational damage on individuals and healthcare organizations.

To address this growing threat, healthcare leaders must prioritize cybersecurity as a strategic imperative. This includes investing in robust security measures, implementing comprehensive incident response plans, and fostering a culture of cybersecurity awareness among all staff. Contact Experts for help setting up robust cybersecurity posture as a strategic imperative against adversaries.

Adopting appropriate preventive measures can help healthcare organizations to significantly reduce the risk of cyberattacks, protect patient data, and ensure the continuity of critical healthcare services. Healthcare organizations must view cybersecurity as an ongoing process and continuously adapt to emerging threats and evolving best practices.

References

1.????? Cook, V. (2024). ‘Russian criminals’ behind hospitals cyber attack. BBC. https://www.bbc.com/news/articles/cxee7317kgmo

2.????? Milan, L., Lyngaas, S., & Raine, A. (2024). Some operations cancelled as cyberattack disrupts patient care at hospitals in London. CNN World. https://www.cnn.com/2024/06/04/europe/cyberattack-london-hospitals-intl-latam/index.html

3.????? Courty, A., & Atkin, M. (2024). Cyber security chief says MediSecure data breach is an ‘isolated’ attack but warns health data a prime target for cybercrime. ABC News Australia. https://www.abc.net.au/news/2024-05-17/cyber-security-chief-says-medisecure-data-breach-isolated-attack/103860120

4.????? Swan, D. (2024). MediSecure patient data up for sale on Russian hacking forum. The Sydney Morning Herald. https://www.smh.com.au/technology/medisecure-patient-data-up-for-sale-on-russian-hacking-forum-20240524-p5jggb.html

5.????? Lyngaas, S. (2024). Cyberattack disrupts operations at a major US health care network. CNN Business. https://www.cnn.com/2024/05/08/tech/cyberattack-disrupts-healthcare-network/index.html#:~:text=A%20cyberattack%20has%20disrupted%20%E2%80%9Cclinical,spokesperson%20told%20CNN%20on%20Wednesday.

6.????? Barsky, N. (2024). UnitedHealth paid hackers $22 million, fixes will soon cost billions. Forbes. https://www.forbes.com/sites/noahbarsky/2024/04/30/unitedhealths-16-billion-tally-grossly-understates-cyberattack-cost/

7.????? Kolovos, B. (2023). St. Vincent’s Health Australia says data stolen in cyber-attack. The Guardian. https://www.theguardian.com/australia-news/2023/dec/22/st-vincents-health-australia-hack-cyberattack-data-stolen-hospital-aged-care-what-to-do

8.????? Mitchell, S. (2024). Security brief Australia. https://securitybrief.com.au/story/australia-s-healthcare-sector-faces-escalating-cyber-threat#:~:text=The%20healthcare%20sector%20continues%20to,the%20data%20from%20the%20OAIC.

About the Author

Author: Sadique Kwatsima

Sadique Kwatsima is an ardent cybersecurity enthusiast and researcher at Enovise Group. He is passionate about Governance, Risk, and Compliance (GRC) in cybersecurity.

The opinions expressed in this article are based on research and professional experience.