Latest News

Digital Danger: How Cyberattacks Put Patients at Risk


 

On September 27, 2024, UMC Health System in Lubbock, Texas, experienced an IT outage because of a cybersecurity incident that temporarily diverted patients to other healthcare facilities. So far, in 2024, there have been 386 cyberattacks on healthcare organizations. These high-impact ransomware attacks disrupt and delay patient care.

In recent years, many healthcare systems, including Scripps Health, Universal Health Services, Vastaamo, Sky Lakes, and the University of Vermont, have paid millions — even tens of millions — to recover data after a cyberattack or data breach. When healthcare systems come under cyber fire, the impact extends far past disrupting workflows and compromising data, patient safety can be also be compromised, vital information may be lost, and imaging and lab results can go missing or be held for ransom, making physicians’ job difficult or impossible.

In fact, cyberattacks on hospitals are far more common than you may realize. A new report issued by Ponemon and Proofpoint found that 92% of healthcare organizations have experienced a cyberattack in the past 12 months. Even more sobering is that about half of the organizations affected suffered disruptions in patient care.

Healthcare Systems = ‘Soft Targets’

Healthcare systems are a “soft target” for hackers for several reasons, pointed out Matthew Radolec, vice president, incident response and cloud operations at Varonis, a data security company. “One, they’re usually an amalgamation of many healthcare systems that are interconnected,” said Radolec. “A lot of hospitals are connected to other hospitals or connected to educational institutions, which means their computer vulnerabilities are shared ... and if they have an issue, it could very easily spread to your network.”

Another factor is the cost of securing data. “[With hospitals], they’ll say that a dollar spent on security is a dollar not spent on patient care,” said Radolec. “So the idea of investing in security is really tough from a budget standpoint…they’re choosing between a new MRI machine or better antivirus, backups, or data security.”

Because of the wealth of private data and healthcare information they maintain, hospitals are considered “high impact” for cybercriminals. Attackers know that if they get a foothold in a hospital, it’s more likely to pay — and pay quickly, Radolec told this news organization. Hospitals are also likely to have cyber insurance to help cover the cost of having their data stolen, encrypted, and ransomed.

The 2024 Microsoft Digital Defense Report also found that the bad actors are more sophisticated and better resourced and can challenge even the best cybersecurity. Improved defenses may not be good enough, and the sheer volume of attacks must be met with effective deterrence and government solutions that impose consequences for cybercriminals.

Vulnerable Users

Whether through a phishing email or text, password attack, or web attack, “the moment a ‘threat actor’ gets into your institution and gets credentials ... that’s the Nirvana state of a threat actor,” warned Ryan Witt, chair of the healthcare customer advisory board and vice president of Industry Solutions at Proofpoint, a cybersecurity platform. “They have those credentials and will go into deep reconnaissance mode. It often takes healthcare up to 6 months to even ascertain whether somebody’s actually in the network.” During that time, the hacker is learning how the institution works, what job functions matter, and how best to plan their attack.

“Attackers are getting in because they’re buying databases of usernames and passwords. And they’re trying them by the millions,” added Radolec. “For a sophisticated actor, all it takes is time and motivation. They have the skills. It’s just a matter of how persistent they want to be.”

Certain hospital staff are also more likely to be targeted by cyberhackers than others. “About 10% of a healthcare organization’s user base is much more vulnerable for all sorts of reasons — how they work, the value of their job title and job function, and therefore their access to systems,” said Witt.

High-profile staff are more likely to be targeted than those in lower-level positions; the so-called “CEO attack” is typical. However, staff in other hospital departments are also subject to cybercriminals, including hospice departments/hospice organizations and research arms of hospitals.

The Impact of Cyberattacks on Patients

Physicians and healthcare execs may have considered cybersecurity more of a compliance issue than a true threat to patients in the past. But this attitude is rapidly changing. “We are starting to see a very clear connection between a cyber event and how it can impact patient care and patient safety,” said Witt.

According to the Proofpoint report, cyber breaches can severely affect patient care. In 2024:

  • 56% of respondents saw a delay in patient tests/procedures
  • 53% experienced increased patient complications from medical procedures
  • 52% noted a longer patient length of stay
  • 44% saw an increase in patient transfers to other facilities
  • 28% had an increase in mortality rate

What Hospitals and Physicians Can Do

Fortunately, hospitals can take measures to better protect their data and their patients. One strategy is segmenting networks to reduce the amount of data or systems one person or system can access. Educating staff about the dangers of phishing and spoofing emails also help protect organizations from ransomware attacks. Having staff avoid reusing passwords and updating logins and passwords frequently helps.

Most hospitals also need more robust security controls. Physicians and healthcare facilities must also embrace the cybersecurity controls found in other industries, said Witt. “Multifactor authentication is one of those things that can cause us frustration,” he said. “The controls can seem onerous, but they’re really valuable overall…and should become standard practice.”

Doctors can also prepare for a ransomware attack and protect patients by practicing some “old-school” medicine, like using paper systems and maintaining good patient notes — often, those notes are synced locally as well as offsite, so you’d be able to access them even during a data breach. “It’s smart to write prescriptions on pads sometimes,” said Radolec. “Don’t forget how to do those things because that will make you more resilient in the event of a ransomware attack.”

A Continuing Threat

Cyberattacks will continue. “When you look at the high likelihood [of success] and the soft target, you end up with ... a perfect storm,” said Radolec. “Hospitals have a lot of vulnerabilities. They have to keep operations going just to receive income, but also to deliver care to people.”

That means that the burden is on healthcare organizations — including physicians, nurses, staff, and C-level execs — to help keep the “security” in cybersecurity. “We are all part of the cybersecurity defense,” said Witt. Helping to maintain that defense has become a critical aspect of caring for patients.

A version of this article first appeared on Medscape.com.

Recommended Reading

Industry Payments to Peer Reviewers Scrutinized at Four Major Medical Journals
MDedge Rheumatology
Six Tips for Media Interviews
MDedge Rheumatology
Cybersecurity Concerns Continue to Rise With Ransom, Data Manipulation, AI Risks
MDedge Rheumatology
AI in Medicine: Are Large Language Models Ready for the Exam Room?
MDedge Rheumatology
Minor Progress in Gender Pay Equity, But a Big Gap Persists
MDedge Rheumatology
Lawmakers Rush to Stave Off Doctor Pay Cuts as Medicare Finalizes 2025 Rates
MDedge Rheumatology
Men Wanted: New Efforts to Attract Male Nurses
MDedge Rheumatology
The Bad News Behind the Rise in Locum Tenens
MDedge Rheumatology
The Rise of Sham Peer Reviews
MDedge Rheumatology
When Your Malpractice Insurer Investigates You: What to Know
MDedge Rheumatology