The healthcare system in the United States has been facing an increased risk from cyberattacks in recent years.
In the past, cybersecurity experts have predicted this rise, warning the US government has not been taking the threat seriously enough as patients face risks to their privacy and cyber intruders have increased ways to run amuck in the nation’s health system.
Cyber Spike
FBI data tracking internet crime in 2023 found that the healthcare industry had the highest number of organizations falling victim to ransomware attacks.
The number of ransomware attacks almost doubled in one year from 2022 to 2023. The data suggests that hospitals are attractive targets for ransomware because they are more likely than other organizations to make payments to get critical patient data back.
Why are Hospitals More at Risk?
In addition to hospitals having a trove of valuable data, the way hospitals are budgeted often leaves little resources for cyber security.
Also, many hospitals rely on the use of older equipment and outdated computer software out of necessity. Sometimes critical equipment can only run with certain versions of operating systems, making the upgrade process tricky.
Interconnectivity
As the world becomes more connected through network and internet-based technology, this leaves the healthcare system with one foot in, and one foot out.
“Unfortunately, the unintended consequence of the use of all this network and internet-connected technology is it expanded our digital attack surface,” said John Riggi, cybersecurity adviser for the American Hospital Association. “So, many more opportunities for bad guys to penetrate our networks.”
Recent Attacks
This past November, a massive ransomware attack targeted a healthcare company that operates 30 hospitals and around 200 health facilities in the country.
The attack disrupted services in several states, causing doctors to postpone surgeries and divert critical emergency room patients until the issue could be resolved. These doctors were unable to get access to critical information related to patient care.
Adversarial Mindset
Erik Decker, vice president and chief information security officer at Intermountain Health, recently argued in a virtual event that the healthcare industry needs to confront cyberattackers with an “adversarial mindset.”
“[Criminals] have a big desire to make a lot of money, or as much money as they can, in a specific time frame,” said Decker, describing the problem with sophisticated threats from cyber intruders.
Cyber Health Conference
The Intermountain Health conference featured many experts, who each spoke about how the rise in cyberattacks is affecting them.
“Cyber incidents are not just about losing data anymore. They’re about losing patients’ confidence, undermining safety and impacting care delivery and lives,” said Vugar Zeynalov, chief information security officer of the Cleveland Clinic Health System.
Limiting Surface Area
As more hospital and patient data becomes integrated through internet technologies like cloud computing, experts are advocating to reduce the points of failure as much as possible.
“What you’re trying to do is really limit the overall blast radius of the breach,” said Marc Maiffret, chief technology officer of BeyondTrust, a company that helps companies protect themselves from cyber-attacks.
Embracing the Cloud
Last year, GHX reported that by 2025, it is predicted that nearly 70% of all hospitals and health systems will have adopted a cloud-based approach to supply chain management.
96% of US hospitals have successfully switched from paper to electronic medical records systems.
Three Ways of Infiltration
Decker explained in the conference the three primary ways that attacks are successfully infiltrating hospitals and care networks.
“The first way is through social engineering. So, it’s the phish. It’s the malware dropper on an email that you get through a click,” said Decker.
Misconfigured System
The second way that systems are exploited has to do with an improperly set or misconfigured system with access to the internet. Cybercriminals can find and exploit weaknesses to gain access to the system.
In late 2018, a database misconfiguration exposed nearly 1 million patients of UW medicine to vulnerability.
Remote Access
The third way the health industry is getting attacked digitally is through connections to third parties and remote access points.
“Pretty much every single ransomware attack that you’ve seen or heard about in the news, one of those three ways was the initial intrusion point,” said Decker.
