Healthcare organizations have become a prime target for malicious cyberattacks that have surged in recent years—and only show signs of increasing. The motivations behind these attacks range from extortion to espionage and even cyber warfare.
While government officials, technology professionals, and security officers have sounded the alarm for years, dire warnings are increasingly coming from organizations like the Joint Commission, ECRI, and the FBI, which in 2022 ranked the healthcare sector No. 1 out of 16 critical infrastructure sectors for ransomware attacks.
Cyberattacks impact clinics, large health systems, rural hospitals, insurers, and third-party vendors. Vulnerabilities run the gamut. Security of medical devices and ransomware top the list of concerns for healthcare IT security professionals, according to a Ponemon Institute survey. In fact, 41% of respondents said their organization averaged three or more ransomware attacks in the past two years. That is consistent with data we are seeing elsewhere across the industry, including a JAMA Network study showing that the annual number of ransomware attacks on US healthcare providers more than doubled over a five year period.
The threat landscape is expansive, cutting across patient data and privacy, operations, and medical research. Below are three real-world examples spotlighting the crippling impact of cyberattacks. Critically, we lay out three actions organizations can take now to beef up their cyber maturity.
Healthcare providers store vast amounts of sensitive patient data. This data is often shared through interconnected and interoperable systems across a wide spectrum of third-party vendors, with co-mingled technology old and new.
Given all this, the vulnerability aperture or attack space is growing exponentially. A successful cyberattack can lead to data theft, exposing patients to identity theft, financial fraud, and even blackmail. The financial impact alone of a breach can be immense for a healthcare organization. The average cost of a healthcare data breach hit $11 million in 2023, a 53% increase from 2020. The loss of trust resulting from such breaches also can discourage patients from seeking medical attention, thereby endangering their health.
Third-party data breach
In July 2023, hackers targeted an external storage center and software system used for email formatting by a healthcare provider with more than 180 hospitals and over 2,000 sites of care. While this side door did not offer access to clinical information, it did include names, email addresses, and some appointment information.
Scale: 11 million patients had information stolen and put up for sale.
Litigation risk: Nearly two dozen class action lawsuits were promptly filed demanding monetary damages and encryption of all the data that the provider handles. The litigation was consolidated into a single filing in late August.
With the advent of more interoperable capabilities and Internet of Things devices, healthcare facilities rely heavily on digital systems for workforce planning, appointment scheduling, end-to-end patient care, recordkeeping, and medical equipment management.
Cyberattacks targeting these systems and the associated data can disrupt normal operations, leading to delayed treatments, canceled surgeries, and a general breakdown in the delivery of healthcare services. These incidents serve as stark reminders of how vulnerable health services in the real world are to cyber threats.
In 2021, a devastating attack severely impacted a healthcare provider in California. In addition to stealing patient data, attackers unleashed ransomware that forced the organization to take down its IT systems, including backup servers.
Operational impact: Staff resorted to pen-and-paper processes. Even basic digital operations such as telemetry—that is, the electronic monitoring of patients’ vital signs—were interrupted. It took weeks to restore all digital systems.
Patient impact: Not only did the provider have to suspend some services, other hospitals in the region saw median waiting times increase by 47.6% due to the influx of diverted patients.
Cost: Reported losses totaled almost $120 million.
Healthcare organizations contribute significantly to medical research and innovation. Cyberattacks targeting research institutions can result in the theft, destruction, or tampering of valuable research data, potentially setting back advancements in medical science. This not only affects the current state of healthcare but also impedes the development of future treatments and therapies.
In recent years, cyber espionage campaigns have targeted pharmaceutical companies and medical research institutions. They aim to steal intellectual property related to drugs, including vaccines—with a notable spike during the pandemic—and medical technologies. The US Department of Justice in 2020 indicted two prolific hackers for allegedly infiltrating the computer systems at hundreds of organizations over several years and making off with terabytes of data worth hundreds of millions of dollars. Among the targets were medical device makers, biotech firms, and pharmaceutical companies. The theft of such vital information not only hampers progress but also threatens public health, especially during global health crises.
Research data theft
In March 2023, a university hospital in Spain was hit by a cybercriminal group that specializes in exfiltrating data. In addition to patient and employee information including digitized doctor signatures, the group stole research data from clinical trials on autoimmune and cancer treatments, fields in which the hospital is a leader.
Impact: The hospital poured time, money, and prized scientific expertise over multiple years into the research that culminated in the clinical trials. In total, the criminals stole over 4 terabytes of data.
Outcome: The criminal group demanded a $4.5 million ransom (USD), but the government refused to pay. The stolen data was published on the dark web in batches.
The seriousness of cyberattacks on health services cannot be ignored. From IT staff to third-parties, preparedness is muti-layered with each layer potentially having holes or vulnerabilities. Just 17% of healthcare delivery organizations update software on a regular basis, and only 20% educate employees about ransomware risks, according to a recent Ponemon Institute survey. Additionally, there was a 7% drop in the number of healthcare delivery organizations that budgeted for third-party risk management.
Executives and boards must ask one major question: How vulnerable is our organization?
We’ve outlined three practical actions healthcare organizations can take today to assess their risk:
Healthcare organizations should conduct a preventative, comprehensive cyber exam at least once per year. Such an assessment includes identifying potential weaknesses across applications, network, and systems. The assessment should especially extend to the full workforce, gauging their level of cybersecurity awareness and training since so many attacks begin with social engineering methods such as phishing.
Organizations will then be able to surface insufficient or incomplete deployment of essential defenses or incident response abilities. An assessment may unearth areas of deficiency in multi-factor authentication, encryption, access privileges, email filtering, and offline backups, among others.
Equipped with that knowledge, leaders can direct finite resources to shoring up the most likely routes of an attack. That said, vulnerabilities that cannot easily be addressed will remain. Conveying lingering risks related to HIPAA violations and other applicable regulations to the legal department is an important step and organizations should consider insurance.
Once a comprehensive assessment is done, organizations can strategically prepare their response to defend against an attack and minimize the potential damage should one occur. This involves establishing or updating a cyber incident response plan that clearly commits responsibilities to specific individuals or teams before, during, and after an incident. Organizations must have clear communication protocols both to notify and engage stakeholders, including clinical staff, non-clinical staff, leadership, and legal authorities.
Don’t just plan. Practice. Run a simulation that emulates sufficiently the effects of the attack on patient care, staff productivity, and hospital operations. For example, test the ability of staff to isolate the propagation of malware, shut down devices that cannot be disconnected, operate with downtime procedures, appropriately prioritize recovery according to agreed-upon criticality, and communicate relevant information in a timely fashion throughout.
Then consolidate findings into a report that will be used to improve the organization’s posture, preparedness, and responsiveness. Such a thorough exercise will bring a healthcare provider much closer to cyber readiness and resiliency, akin to the muscle memory that makes running a high-energy emergency room second nature.
As healthcare providers increase collaboration with and reliance upon multiple digital tech solutions, interoperability is a must, as well addressing the critical vulnerabilities created by such connectivity. Every interface a healthcare provider shares with another entity creates a potential inroad to even the most secure digital environments. Providers must vet the maturity of each partner or vendor’s digital environment to mitigate risk to their own patients and workforce.
When evaluating healthcare partners and technology vendors, add requirements for cyber-risk management to your due diligence—ensuring you know their posture and their preparedness. Insist that they complete regular comprehensive exams just like you now do, that they routinely update their product with the latest security patches, and that they report incidents and breaches as soon as possible.
Use the contract as an opportunity to clarify in advance the liability for any breach that does happen. Then, when onboarding and working with new partners and vendors, make sure access to data is appropriately limited to the necessary use and that controls are distributed rather than monopolized.
Protecting a healthcare provider’s data and IT systems—and therefore the lives and wellbeing of its patients and care teams—must be the work of both the provider and its upstream and downstream partners.
Health and Human Services recently released public tools for healthcare organizations to leverage. Take advantage of these tools and reach out with any questions about where to get started.
Supporting research: Scott Bartley, Research Analyst, Oliver Wyman