As cyberattacks have increased in recent years, an area of particular concern has been those who go to hospitals and health systems. These attacks have affected not only private information, but have also threatened the lives and well-being of patients.
A major change
Hospitals rely more than ever on computerized systems to manage their information and systems. With the additional complications related to the COVID-19 pandemic, the dangers associated with cyberattacks have only gotten worse.
“It is part of a trend that we have seen growing in the last two years, even before the pandemic.” said Scott Shackelford, President of the IU Cybersecurity Risk Management Program. Unfortunately, healthcare providers are being targeted. Not only do they tend to have insurance and deep pockets, but physicians need access to patient information to perform procedures and provide required services.
Because of this vulnerability and urgency, Shackelford said: “They are more likely to pay.”
“If you look at the surveys that have been conducted, approximately one in three healthcare providers has been affected by ransomware attacks since 2020 alone, and there has been a 45 percent increase in that rate since last December.” Shackelford added.
A recent attack, at Johnson Memorial Health in Franklin, Indiana, disabled his computer system. Although the hospital said it could still manage patient admissions, the loss of computer capabilities slowed operations dramatically.
“We are used to submitting lab orders via computer, to submitting prescriptions to pharmacies via computer, so we’re really going to be relying on paper again,” said Johnson Memorial President and CEO David Dunkle. “We are using more human corridors, people doing lab recitations between the ER and the lab.”
Hospitals have been slow to respond
Although there have been important technological advances in the medical field, not all health systems have provided robust IT equipment or comprehensive security protocols. An important aspect is new medical devices, which take years to obtain FDA approval and can include outdated software and operating systems without the latest security mechanisms.
This has given hackers the ability to disabling medical imaging devices such as MRIs. They can then shut down or interfere with the machines. A recent study The McAfee Enterprise Advanced Threat Research team discovered that an IV pump created by German medical manufacturer B. Braun possessed a susceptibility that would allow hackers to change drug doses remotely.
And while traditional phishing attacks require the user to open a corrupted file, a trend that is now declining, new attacks can use so-called Zero Click malware, which can infect a system simply by receiving a text message or email.
Additionally, sensitive data held by healthcare systems gives hackers the opportunity sell this information online – or threatens – with lawsuits amounting to millions of dollars. After an American law of 2009 It was passed requiring Medicare and Medicaid providers to implement electronic medical records, these risks have only accelerated.
Life or death circumstances
Hospitals are now seeing not only the financial risks of cyberattacks, but also the threat to the lives of their patients.
In July 2019, Springhill Medical Center faced a massive ransomware attack that disabled your electronic devices. This failure created extreme circumstances for a baby, which made doctors unable to monitor the child’s condition during delivery. The baby died and the mother is suing the hospital for negligence, a charge Springhill denies.
Another attack in Düsseldorf, Germany in 2020 saw the death of a 78-year-old woman of an aortic aneurysm. What was supposed to be a routine pickup turned into a nightmare when the local hospital system was deactivated by a ransomware attack, forcing the emergency department to turn the woman away and causing the ambulance to travel much further. . During this time, the patient’s condition worsened and she eventually died.
How much worse can it get?
In mid-August 2021, 38 attacks on providers or health systems had interrupted care across about 963 US locations For all of 2020, only 560 sites were affected in 80 separate incidents, according to Brett Callow, a threat analyst at security firm Emsisoft.
With the vast amount of data and equipment in each of these healthcare facilities, as well as the connected networks of many systems, the threat of cyberattacks in healthcare will continue to grow unless more action is taken.