2020 was a year for the record books, and, when it comes to cyber crime in the healthcare sector, it was a real watershed. That’s why the Cyber Peace Institute’s report Playing With Lives: Cyberattacks on Healthcare are Attacks on People was so timely and relevant. This 2021 report provides an in-depth exploration of the victims, targets and impact of e-crime on the healthcare sector, its infrastructure, its workforce and, above all, its patients.
To appreciate how much the world has changed, you only have to take a look at some of the statistics offered up in the report.
“While cyberattacks made up only 4.6% of reported healthcare data breaches in 2010, they accounted for an estimated 58% of breaches in 2019. (Seh et al., 2020)"
It paints a bleak picture of a sector already stressed by lack of funding, doubly burdened by the weight of constant attacks. The rise in attacks from 2019 was a whopping 39%, according to the U.S. Department of Health and Human Services. Those at risk include everyone from small hospitals to the European Medicines Agency.
The report is fascinating, not only for the extensive research it prevents but also for the unique focus on the human cost of these cyber attacks. Read on for the highlights.
The COVID Effect & Why Healthcare is Under Attack
The COVID-19 pandemic, in particular, has spurred a rise in malicious activities around the healthcare sector. This is, in part, simply due to increased focus on the sector and a level of global importance never before seen—leading to the possibility of making more money exploiting it than ever.
COVID has also, according to the report, diminished the trust between the people and institutions, which destabilizes the confidence in the healthcare sector as a whole. There is a loss of trust as well between officials in the sector and governments, leading to widespread underreporting, which just exacerbates the lack of funding and resources in the sector, leading to an increase in attacks.
According to the Cyber Peace Institute’s report, healthcare is increasingly under attack owing to a combination of three factors:
– Healthcare services are critical to maintain as patient health depends on them. This has made hospitals a target of choice for digital extortion.
– Healthcare is the custodian of valuable and sensitive information, such as medical records and vaccine research, making it an attractive target for data theft and cyberespionage.
– Healthcare has found itself at the center of strategic inter-state rivalries due to the pandemic, which have spilled into malicious activities such as disinformation campaigns against the sector.
Ransomware’s Evolution in Healthcare
Ransomware is a favorite attack vector for threat actors targeting hospitals. The data that is at risk is so sensitive and so vulnerable, it makes the healthcare sector an ideal target for this type of attack. On healthcare organizations, however, the impact of ransomware attacks are particularly dangerous.
The first known ransomware attack on healthcare came with the AIDS trojan in 1989, and now these attacks number in the triple digits daily at many hospitals. Using double or even triple extortion consequences, criminals cooperate using their own commodified ransomware attack strategies to maximize reach with minimal effort. Meanwhile, the healthcare organizations suffer really costly disruption, losing access to medical records or having important devices obstructed, making them unable to care for their patients.
There are critics in the report that call for ransomware and cyberattacks against hospitals and health systems to be treated as a threat-to-life crime.
Unlike in other sectors, such as business or financial industries, the healthcare sector shows direct harm on human lives after being breached or attacked. These constant attacks (some hospitals report daily attacks numbering in the hundreds!) result in delays and operational issues that trickle down to the patients at the hospitals.
“We found that hospitals that had been breached, post-breach, over the next two, three years, saw increases in the 30 day mortality rate for their patients.”
-Vanderbilt University research findings, 2019 (Johnson, Eric; Dean at Vanderbilt Owen Graduate School of Management in BitSight).
With the healthcare sector, we are not dealing with bottom lines or theoretical business costs. The costs of cyberattacks in the healthcare sector are often human.
A Lack of Resources
These three incentives are accelerated by an endemic asymmetry in resources. Threat actors from criminal groups to state actors are well resourced, whereas the healthcare sector operates within an often complex, vulnerable, under-resourced, and outdated digital infrastructure.
“In their 2020 report, IBM reported that healthcare companies continued to incur the highest average breach costs at USD 7.13 million – an increase of over 10% compared to 2019 (IBM, 2020)."
The report makes it clear that the healthcare sector needs to improve their weaponry and defense against cyber attacks. The system is over-attacked and under-funded when it comes to cybersecurity. The vast majority of the sector suffers from a systemic lack of resources, needing more money for everything from securing infrastructure to training personnel.
What to Do Moving Forward
The problems highlighted in the Cyber Peace Institute’s report shows the need for tightened security in the healthcare sector. This sector deals with the most sensitive, personal data on the planet, making it attractive for threat actors. And the consequences of any breach in this sector are stark, often having human repercussions.
The report recommends a few different approaches to possible solutions:
– Document attacks and analyze their human and societal impact
This can be done via cooperation between academia and civil society, leveraging empirical research on the short and long-term impact of attacks.
– Improve healthcare preparedness and resilience
This can be done in several different ways. Governments and industries should come together to help improve the cybersecurity of the (often legacy) healthcare infrastructure. Improving preparedness and capacity for recovery is also essential.
– Activate technical and legal instruments to protect healthcare
The government is key in this response. The legal and normative ecosystem must be reinforced, and information and reporting must be shared.
– Hold threat actors to account
This is another response that must be led by governments—the rule of law must be strictly respected and applied. The systematic attribution of all types of cyberattacks would be a huge step.
Improving resilience can be done by building a complete cybersecurity strategy, using tools that give coverage where there has previously been little or none. The 2021 Cyberattacks in Healthcare Report is a fascinating read, so be sure to check it out and download it in its entirety here.