The threat of cyberattacks on healthcare facilities has taken on a new immediacy with the increased use of electronic communication during the pandemic. The issue of cybersecurity has rapidly risen to become a predominant concern for healthcare organizations, with profound implications for the nation as a whole.a
The issue is particularly concerning where cyberattacks can have a direct impact on patient care and the cost to remedy a breach is nearly three times as great as in other industries, says John Riggi, a 30-year veteran of the FBI.b
Unfortunately, healthcare gets hit more than other industries because its facilities have so much high-value data, including patient health information, financial information and social security numbers. Riggi observed that patient health information is much more valuable than a social security number on the dark web.
Attacks reach high prevalence
Among 641 healthcare security officials recently surveyed in a study by the Ponemon Institute, 89% said that their organizations had experienced 43 cyberattacks, on average, in the past year.c More than 20% of the organizations had experienced one or more of the four most common attacks: cloud compromises, ransomware attacks, supply chain disruptions and business e-mail compromises.
The survey respondents also reported that cybersecurity intrusions often caused delays in procedures and tests, with the potential to negatively affect patient health. Many said that they have experienced an increase in patient mortality rates as a result of cyberattacks.
Ransomware poses greatest threat
Ransomware can be particularly problematic in that it delays both tests and procedures and results in longer patient stays. Many IT experts regard ransomware as being the most dangerous threat to the health and safety of patients in hospitals. Once the operating system is infected with malware, it encrypts the health records making them impossible to access.
Hospitals also have paid hefty ransoms in response to such attacks. The average ransom paid by U.S. healthcare organizations in 2019 was $910,335.d And payouts by other types of organizations have gone as high as $10 million.e But even when a hospital pays a ransom, it can-not be sure patient data is not still compromised.
Another common type of cyberattack that hospitals may experience is a distributed denial of service (DDoS) attack, where the intruder attempts to overwhelm the website or network with internet traffic to stop its ability to function. This approach includes the use of botnets, networks of hacked computers that the hackers can use to mount a DDoS attack.
Mismatch between technology adoption and IT security budgets
An unfortunate combination of factors has increased healthcare organizations’ vulnerability to attack. Patient information is increasingly likely to be digitized, but hospitals have had difficulty increasing their IT security budgets commensurately. On average, no more than 7% of the healthcare provider’s annual IT budget is devoted to cybersecurity.
The financial pressure on hospitals increased dramatically during the pandemic, particularly during its early phases. Increasing numbers of patients turned to telehealth as a way to see their providers, which meant increasing numbers of patients were using digital systems even as the need to respond quickly to COVID-19 afforded hospitals neither the time nor the financial wherewithal to focus on shoring up the security of those digital systems.
CISA’s charge to find a remedy
The Healthcare CyberSecurity Act was introduced in the Senate in March 2022 and introduced in the House in September. The bill would direct the Cybersecurity & Infrastructure Security Agency (CISA) to collaborate with the U.S. Department of Health & Human Services (HHS) to protect healthcare data from cyberattacks. The Senate bill directed that a federal study should be completed after one year to provide more information on the threats to healthcare. Given the problem’s magnitude, with HHS reporting that 1 million patients are affected monthly, this directive comes none too soon.
While CISA advises against paying ransoms, hospitals and other providers often feel they have little choice but to comply with most ransom demands. A report issued by cybersecurity firm Sophos in May 2022 found that 61% of healthcare organizations that experienced a ransomware attack in 2021 felt compelled to pay.f The high likelihood of payment along with the substantial amounts that have been demanded make this a cycle that is hard to break.
The use of cyber-insurance also complicates incentives to thwart cyber-intrusions where institutions have sufficient coverage to make paying the ransom financially viable. However, many institutions that have cyber-insurance report having only partial protection. And more than 20% of organizations do not have coverage at all. Further, the Sophos report also noted that all covered organizations are finding it harder or more expensive to get coverage.
An intractable problem — for now
Even knowing who has carried out these attacks hasn’t been of much help. The U.S. government has warned hospitals of an aggressive campaign
coming out of North Korea, and it has been reported that 30% of ransomware attacks on healthcare have been associated with Conti, a crime syndicate believed to be based in Russia. Yet the U.S. government’s limited ability to stop these bad behaviors suggests it is not likely to have much success in stopping it here either.
For now, CISA has been directed to undertake a study to help clarify the amount of harm being inflicted and to assist in developing a set of workable solutions to an ever-growing problem. Healthcare organizations can only hope that help will be forthcoming. In the meantime, they must remain vigilant in keeping informed about this unprecedented threat.
a. See, for example, Reese. E., “Healthcare’s cybersecurity stakes reach alarming levels,” hfm, November 2022.
b. Riggi, J., “The importance of cybersecurity in protecting patient safety,” AHA Center for Health Innovation, 2022.
c. Ponemon Institute, Cyber insecurity in healthcare: The cost and impact on patient safety and care, Sept. 8, 2022.
d. Jercich, K., “Healthcare hackers demanded an average ransom of $4.6M last year, says BakerHostetler,” Healthcare IT News, May 4, 2021.
e. Fortra, “Average ransomware payouts shoot up 171% to over $300,000,” March 25, 2021.
f. Berry, M., “Ransomware attacks against health care
organizations nearly doubled in 2021,” Thomson Reuters,
July 5, 2022