Crippling cyberattacks against hospitals and healthcare institutions are on the rise. This year, there has been a sharp rise in cyber gangs stealing sensitive patient data by launching ransomware attacks. These ruthless attacks can take medical systems offline for weeks, resulting in thousands of cancelled appointments and surgeries and causing harm to patients. Doctors and nurses are also plunged into crisis as they are suddenly locked out of access to online patient records and have to resort to filling out paperwork manually. Telephone systems go down, while IT staff work tirelessly to safely restore online services. Recovery can be long and brutal.
It doesn’t take long to see how ransomware can have a dangerous impact on the healthcare sector. The industry is increasingly being targeted because of the valuable data it contains. Cybercriminal gangs like Qilin, the Russian-speaking cyber gang behind the recent attack on Synnovis, stole data and, after unsuccessful negotiations, published it on the dark web. The gang demanded more than $50 million from Synnovis as a threat to not release the data. But even if a cyber gang fails to receive a ransom, a successful attack increases its notoriety even further.
Director of Technology and Security Strategy for the EMEA region at Akamai.
Calculating the human cost
Criminals operate internationally, so cybercrime is ultimately a business. The World Economic Forum has revealed that the cost of cybercrime could reach $10.5 trillion annually by 2025. However, when malicious actors specifically target healthcare institutions, it is patients who pay the price.
Hospitals and other healthcare organizations are highly complex, constantly storing and processing significant volumes of personal data. This personal data is fed into dozens of software models hosted by third-party companies, providing everything from electronic medical records to staff shift schedules. Cyberattacks against third-party service providers that take medical services offline can impact a hospital’s internal systems and networks and those belonging to these third-party providers.
In the hours and days following a ransomware attack, it is common for companies that have software connected to the targeted organization to take their services offline while they determine which areas have been affected. While a cyberattack against a business can disrupt services such as payments and inventory control, cyberattacks against the healthcare sector can deny patients life-saving care and reduce their trust in healthcare services.
Add to this the fact that the healthcare industry has seen a significantly higher increase (162%) in cyberattacks than any other industry (the second highest increase was in media, leisure and entertainment (116%)), and it is clear that the human cost of cyberattacks is skyrocketing within healthcare organizations.
Blind spots in healthcare
Across the healthcare sector, organisations report that budget constraints are the biggest barrier to cyber resilience. In the current climate, many institutions are often only able to respond to cyberattacks reactively. But the truth is that reactive approaches hand the initiative to malicious actors and put healthcare facilities in a defensive position.
Older IT systems in healthcare services also provide attractive entry points for cybercriminals. For example, organisations often rely on operating systems that are no longer supported, such as Windows 7. In some cases, legacy systems can account for 30 to 50 percent of all IT services, leaving them exposed to vulnerabilities. Some of these systems may have been designed more than 20 years ago and simply have not been kept up to date with technological advances due to the cost of maintaining or replacing software that was originally designed for an operating system that is now outdated.
It is not realistic to upgrade the operating system overnight, but there are immediate steps that organizations can take to manage risk. One such example is network segmentation, which involves dividing the network into isolated sections and allows an organization to isolate critical aspects of its network and ensure that even in a worst-case scenario, a minimum safe operating level is maintained.
Segmentation is vital to healthcare because it allows institutions to acquire the most precious resource of all: time. Segmented networks slow down malicious actors. Essentially, it’s the difference between giving hackers a free pass or ensuring they are stopped and blocked at every juncture. While the most desirable outcome is to prevent cybercriminals from gaining entry altogether, it’s equally important to ensure that should an attack succeed, they aren’t given the red carpet treatment in every corner of a network. The average time it takes to completely stop a ransomware attack on a well-segmented network is four times faster than on a network that isn’t segmented. In healthcare, the speed of a successful response can literally be a matter of life and death.
Preparing for the future
IT and security teams are facing an uphill battle. It has never been easier for amateur cybercriminals to launch attacks and cause trouble. And that is largely the reason why we are seeing an increase in attacks and hacktivism both in Europe and globally.
The recent attack on Synnovis highlights the importance of having robust cybersecurity measures in place to prevent attacks in the first place, as relying on post-attack solutions is neither feasible nor desirable. It is imperative that healthcare institutions are empowered to strengthen their defenses by addressing key vulnerabilities.
In addition to protecting infrastructure, healthcare institutions must provide the tools for employees to work safely. Organisations have a duty to protect their employees and this extends to ensuring they can detect phishing attempts and cyber attacks in their early stages and block the user’s request if they click on a malicious link. Training and refresher sessions should be conducted throughout the year. Attackers rely on complacency at the point of entry and exploit it.
Another clear step that every healthcare facility can take is to implement an “assumed breach” approach. Uncovering attacks is an extremely stressful situation, but one that shouldn’t be panicked. Operating under an assumed breach mindset helps manage it. It’s an approach that ensures constant pragmatism and is a core tenet of Zero Trust, the network security strategy based on the philosophy that access is never granted unless explicitly deemed necessary. In healthcare, organizations should operate under a “never trust, always verify” strategy. This limits a cybercriminal’s lateral movement once they force access and also makes it easier to enforce microperimeters around sensitive data.
As healthcare institutions increasingly find themselves in the crosshairs of cyber gangs, cybersecurity must be treated as an operational necessity.
We list the best medical practice management software.
This article was produced as part of TechRadarPro's Expert Insights channel, where we showcase the brightest and brightest minds in the tech industry today. The views expressed here are those of the author, and not necessarily those of TechRadarPro or Future plc. If you're interested in contributing, find out more here: