How Do Cyber Attacks Happen in Hospitals and Healthcare Clinics?

Threats to hospitals’ cybersecurity cost the healthcare sector millions each year. A case in point: Universal Health Services, one of the largest hospital chains in the United States, was attacked late last September, which ended up costing the company $67 million last year. Due to ransomware, which shut down computer systems for medical records, pharmacies and labs across 250 facilities, ambulances had to be diverted to other hospitals and critical surgeries ended up being postponed as IT experts raced to restore infrastructure and even connected medical devices.

Unfortunately, cases like Universal Health Services are far too common.

Cyberattacks costs hospitals millions each year

In a recent IBM report, healthcare clinics and hospitals incur the highest average security breach cost of any industry. In fact, cyberattacks can cost one institution US $7.13 million per incident—and even higher.

Take Sky Lakes Medical Center, located in Oregon. In October 2020, the center was dealing with a massive surge in COVID-19 hospitalizations when hackers sent malware to the institution’s network, leaving staff without access to medical records and equipment. One month after the attack, the associated costs of building the network with new servers and computers as well as lost revenue from the incident was estimated at US $10 million.

Comparitech analysts estimate that ransomware attacks on US healthcare organizations cost them US $20B in 2020 alone. The company indicates that there has been an increasing trend in double extortion attempts in which cybercriminals not only deny access with a ransom message but also call patients with proof of the data collected. This new trend is often forcing hospitals and clinics to pay out the ransom amounts, which incentivizes future cyberattacks.

Patients Put at Risk

The barrage of cyberattacks on healthcare organizations is not just about their bottom lines. A 2020 Cybersecurity Survey from the Healthcare Information and Management Systems Society (HIMSS) offered somber news for hospitals and clinics that didn’t invest substantially more in their cybersecurity:

“Historically, hackers have threatened the confidentiality of medical information through data breaches where they obtain Social Security numbers or financial data. But if hackers threaten the integrity of medical data, such as by changing laboratory values or hacking a remote medical device, that could pose a very real danger to patients,” said Rod Piechowski, health IT expert and Vice-President of Thought Advisory at the HIMSS, during an interview about the study.

Even more disturbing is how sophisticated cyberattacks can become, doing more harm on patients. For example, in a bid to raise awareness in cybersecurity weaknesses in medical equipment and devices, researchers in Israel were able to create a malware capable of adding or removing tumors in CT and MRI scans—tricking radiologists into providing false diagnoses. In 87% of the cases in which the malware removed cancerous modules, doctors concluded very sick patients were actually healthy. The Israeli research team said that the malware could be used for all types of health issues, including brain tumors, heart disease, blood clots, spinal injuries, and more.

The healthcare sector is notorious for being a target for cyberattacks.

Many hospitals and clinics rely on outdated systems and infrastructure with minimal resilience to cyberattacks. On the other side of the spectrum, more modern healthcare facilities are increasingly reliant on networked digital infrastructure as well as medical equipment and devices that use IoT sensors to connect them to centralized networks. While electronic data sharing and virtual services can facilitate and accelerate patient care, they are still vulnerable to security breaches that affect how they operate. In these cases, cyberattacks can not only access the equipment’s configurations and settings—but also the hospital networks to which they are connected.

Another reason healthcare organizations are a goldmine for cybercriminals is their financial resources. In privatized healthcare networks, hospitals and clinics often have substantial financial resources to actually pay ransomware, for example. In the public sector, the situation can be the complete opposite; with lack of financial resources, hospitals and clinics rely on legacy technology that cannot withstand attacks.

Furthermore, healthcare organizations have been slow to adopt cybersecurity best practices and technologies, according to the Harvard Business Review. In IBM’s aforementioned survey, just 23% of hospitals and clinics have fully deployed security automation tools. The HIMSS survey showed that healthcare organizations dedicated only 6% or less of their IT budgets to cybersecurity, making them very much prone to hackers.

Cybercriminals also don’t just “attack” IT infrastructure. They also target healthcare professionals. This approach is three-pronged.

For one, human error accounts for 95% of security breaches. This means that hospital or clinic employees’ unintentional actions, such as downloading a malware-infected attachment or failing to use a strong password, can pave the way for a breach.

This situation is exacerbated by the fact that many healthcare professionals in human resources, accounts payable and other departments are working from home. As Jeff Brown, CEO of the cybersecurity company Open Systems, said in a recent interview with Silicon Republic: Cybercriminals “are currently taking advantage of the thousands of healthcare workers in human resources, accounts payable and other departments who are working from home due to the pandemic.” They are also targeting healthcare professionals conducting telemedicine at home. These remote employees all have to connect to applications and data to carry out their day-to-day tasks. Without the proper cybersecurity measures and training in place, hackers can easily penetrate entire hospital networks—either to steal financial, employee or patient data, or hijack accounts for ransom.

Secondly, insider jobs run rampant with respect to cyberattacks in hospitals and clinics. In one Accenture report, 29% of healthcare employees were aware of someone in the organization selling access to patient data. Alarmingly, 21% said they would be willing to make a profit by providing authorized access to confidential information. Forty-seven percent of healthcare professionals surveyed said that they were aware of patient data breaches in their organizations, but that many were left unreported.

Finally, organizations in the healthcare sector face an unprecedented shortage of cybersecurity talent. Recent Black Book research found that it takes healthcare organizations up to 70% longer to fill cybersecurity positions versus other IT jobs. Seventy-five percent of experienced cybersecurity workers won’t choose a career in healthcare because of the ramifications after a cyberattack. This means that without the talent to build and maintain cyber resilience, hospitals and clinics are often left to fend off cybercriminals with IT professionals that don’t have the latest know-how to secure institutions against breaches and ever evolving cyberattack methods.

What is a cyberattack, first of all? In simple terms, a cyberattack is a deliberate and malicious attempt by an individual, group of individuals or even an organization to breach the computer, multiple computers, or networks of another individual or organization. Cyberattacks can either disable the target computer(s) and network(s) or access their data and admin privileges.

Breaches to steal personal health information (PHI) are hot these days on the black market. Whereas credit card information and personal health information sell for $1 to $2, PHI can sell for as much as $363, according to the Infosec Institute. The average cost of a data breach for non-healthcare companies, per stolen record, is $158. For healthcare organizations, these cost approximately $355 each.

The healthcare industry is plagued by many different types of cybersecurity threats. Here are some of the most rampant.

Malware, Ransomware and Spyware

Malware is a suspicious software like email or link that can harm an organization’s data. It gets access to its systems when someone clicks on an unnecessary email or link. Once an employee clicks on the email, it can steal the organization’s data, delete it, or misuse sensitive information. Moreover, it can also block access to critical applications or files.

Ransomware, a type of malware, is devised to lock and encrypt user or server files and devices—only to demand a ransom within a short period of time in order to restore access. In a nutshell, ransomware holds files, pictures, and personal and financial information basically hostage. Unfortunately, paying the ransom does not even ensure that access will be unlocked. Ransomware attacks jumped 45 percent—more than double than in other industries—during the first 10 months of 2020 alone.

Spyware, yet another type of malware, infiltrates devices to gather information about an individual or organization. Spyware is meant to monitor and report activity to a third party for subsequent nefarious activities.

Phishing and Spear Phishing

Phishing is a cyberattack during which your employees are contacted by email, text message or telephone by someone posing as a legitimate professional or institution to lure them into giving up sensitive information, such as passwords, banking and credit card details, and all types of personally identifiable information.

Spear phishing is the same as phishing, except that it is targeted to specific individuals, groups and organizations. Spear phishing are often more convincingly written and are much more difficult to detect. That is why with the rise of remote healthcare professionals and reduced cybersecurity precautions, spear phishing has become the cyberattack of choice. In fact, 95% of all attacks that target enterprise networks are caused by spear phishing.

Distributed Denial of Service Attacks

Distributed denial of service (DDoS) attacks is a malign attempt to disrupt a targeted server, service, network or IoT devices by overwhelming it with a flood of Internet traffic. These attacks are meant to exhaust resources and bandwidth. DDoS can prevent healthcare professionals from accessing networks or equipment to provide proper patient care or utilize critical information for their jobs.

Boston Children’s Hospital was the victim of a devastating DDoS attack in 2014. The attack, conducted by hacker group Anonymous, was to protest the treatment of a patient based in her diagnoses and custody between parents. The hospital, along with other partners, including Harvard University and all of its hospitals, lost access to their networks and the Internet. Boston Children’s hospital ended up spending more than US $300,000 to respond and reduce the damages caused by the attack.

DDoS attacks, and other threats, including botnets and remote code execution, have also been on the rise. Imperva recently reported a 372% increase in DDoS and bad bot traffic to healthcare organizations since the end of 2020 alone.

The healthcare industry is expected to spend US $125 billion on cybersecurity from 2020 to 2025. There are many ways hospitals and clinics can optimize their resources to build a more robust cyber resilience. They can:

• Invest in a cybersecurity audit and risk assessment
• Develop a clear cybersecurity strategy that is updated regularly
• Implement endpoint detection and response (EDM) and mobile device management (MDM) platforms to mitigate security risks with mobile devices, laptops and workstations
• Plan for investments in the latest information systems and software as well as cybersecurity infrastructure
• Conduct cybersecurity awareness training with employees several times a year
• Partner with third-party experts to carry out phishing simulations, for example, to identify vulnerabilities
• Create a cyberattack incident response plan
• Take out cyberattack insurance

The risks of cybersecurity in healthcare shows no signs of slowing down. As the future of health constantly evolves, with new technologies emerging faster than ever before, healthcare organizations must radically change how they can improve their preparedness to thwart threats to their IT infrastructure. Cybersecurity hygiene must be top of mind for administrators looking to safeguard their networks, employees and patients.