A ransomware attack took down the UK’s National Health Service in 2017. This attack was a wake-up call to healthcare organizations around the world. As COVID-19 cases stretched and continue to stretch hospital capacity to the limit, we have a constant reminder of how critical our healthcare infrastructure is. How large is the cybersecurity threat to healthcare and how are healthcare administrators responding?
The World Economic Forum reported in November 2021 that over 10 million records have been stolen, of every type, including social security numbers, patient medical records, financial data, HIV test results and private details of medical donors. On average 155,000 records are breached during an attack on a healthcare provider and the number can be far higher, with some incidents reporting the breach of over 3 million records.
The U.S. boasts an average of 10-15 networked medical devices per hospital bed meaning large healthcare organizations face the herculean task of securing tens of thousands of medical devices. Health care information is far more lucrative than credit card information. Criminals can garner anywhere from $10 to $1000 per stolen medical record depending on their completeness. There are many vulnerable places to attack and strong financial incentives to try.
It isn’t always about the dollars. Imagine being in an ambulance that is diverted because a cyberattack has caused chaos at the local emergency department. This is not a hypothetical situation. Fifteen percent of ransomware attacks led to patients being redirected to other facilities and 20% caused appointment cancellations with some services being disrupted for months.
What To Do?
There is a general consensus that these attacks or too big and too impactful for individual organizations to solve alone. The World Economic Forum feels governments must take proactive steps to protect the cybersecurity threat to healthcare. Improving the capacity of national law enforcement to act in the event of extraterritorial cases holds more ransomware criminals responsible. The international cooperation of governments in both the investigation and prosecution of these criminals is critical.
Cybersecurity spending for the individual healthcare administrator can be hard to justify when they are faced with other competing priorities. The growth of remote care during the pandemic and remote work has created even more vulnerable potential targets for hackers. Simple phishing emails are handled with a live scan technology on the URL that can be blocked if it has been previously determined to be malicious. Healthcare organizations are using lunch-and-learns to train their staff on how to set up their social media privacy controls appropriately. Another firm sends out a weekly newsletter that explains what is happening in the world of ransomware. They find their vice presidents have an appetite to understand the cybersecurity threat to healthcare, and, as a result, become more concerned about it.
Joey Johnson, Premise Health CISO, said in a recent WSJ article, “Even if my CFO said, ‘Here’s $50 million. Go hire all the people you want,’ it’s very challenging to get those qualified people. So you kind of have a really difficult, perfect-storm situation where existing resources are more stressed out, the threat level is increasing, and it’s hard to resource the problem away.”