Experts described 2020 as a “perfect storm” for cybercriminals, whose ransomware attacks on hospitals and other healthcare facilities cost the industry some $21 billion. The figure represents direct downtime of equipment caused by ransomware, which renders target devices inoperable until organizations buy a cryptographic key from the attacker.
Downtime costs doubled in 2020 compared to 2019, representing nearly 100 individual ransomware attacks at hospitals, clinics, labs, and other facilities of all sizes. More than 18 million patient records were compromised as a result, a nearly five-fold increase from 2019.
Ransomware attacks are about more than the precarious state of PHI confidentiality. At least one 2021 lawsuit alleges that a hospital ransomware attack resulted in an infant’s death, when the EHR systems at Springhill Medical Center, in Mobile, Alabama, were attacked. Lack of access to crucial information led to lost opportunities to perform a potentially life-saving C-section.
At the most precarious time in modern healthcare, cybercriminals showed no mercy. Yet, even if 2022 sees a substantial downturn in COVID’s ability to produce disruptive strain on hospitals, they will still be under an ever-increasing threat of attack. That threat is growing more diverse and difficult to stop.
The Internet of Things May Lead to a “Fish Tank Attack” Every Single Hour in Healthcare
It sounds like something out of Ocean’s Eleven or another Hollywood heist movie, but it’s true. In 2017, criminals hacked a fish tank to gain access to sensitive systems at a North American casino, resulting in the theft of ten gigabytes of data. The fish tank featured internet connectivity for remote monitoring of temperature, salinity levels, and other factors.
Physicians and administrators are moving to embrace IoT, as its predictive data has the potential to transform care outcomes and improve early detection of serious issues. But as deployed technology becomes more diverse and connected, everything in the care environment that collects or distributes data has the potential to become what cybersecurity professionals call an attack vector.
By 2027, the global market for portable and remote patient monitoring is expected to rise to $43 billion. This includes items used on an outpatient basis, such as CPAP monitors, as well as those installed in the treatment environment. As these devices exchange information and interface with secure networks of the healthcare provider or the device manufacturer, they open major vulnerabilities:
- Hackers have the opportunity to intercept sensitive patient data in transit
- By infiltrating a device, they can change settings or gather more information
Healthcare IoT is advancing in tandem with the explosive growth of telehealth driven by the pandemic. McKinsey has asked if telehealth may reach a quarter-trillion dollars post-COVID. Yet, while telehealth features a growing number of robust, HIPAA-compliant communication platforms the patient can truly rely on, IoT hardware devices remain a poorly secured back door leading straight to their PHI.
The notorious “baby monitor attack” that allows outsiders to manipulate and monitor video feeds is just one example of security struggles in the consumer IoT market. It is important to realize that there are, as of now, no significant engineering differences in healthcare IoT devices that make them more secure.
The attacks possible in the consumer sphere are a difference in degree, not in kind, when compared to attacks that are just as easy and likely in the care environment. And, unfortunately, most healthcare organizations are woefully under-prepared for this new reality.
Direct Attacks Are Only the Beginning, and the Threat Is Getting Worse
In August of 2021, HIPAA Journal reported that a hacker claimed to have gained access to Boston Children’s Hospital through the network of an affiliated HVAC vendor, ENE Systems. ENE Systems’ clientele included Brigham & Women’s Hospital and Massachusetts General Hospital at the time.
Although Boston Children’s Hospital was made aware of the potential breach with no apparent loss of data or functionality, the incident demonstrates the dangers of the wider connected world that modern hospitals operate in. And the potential for determined, sophisticated attacks sharply rose in 2022.
Most hackers are non-state actors. But Russia’s invasion of Ukraine raises the specter of widespread cyberattacks on critical infrastructure in the U.S. and Europe. In the New York Times, former National Security Agency general counsel Glenn S. Gerstell says the nation “isn’t ready for what’s coming,” as it lacks capability for a coordinated response between security experts, small business, and government.
With the ambiguous post-COVID situation still unfolding, healthcare infrastructure is in criminals’ sights like never before. This has the potential to deliver a double punch to hospitals, already tottering under the weight of an average $35,000 per physician per year in HIPAA compliance costs.
Each individual breach has the potential to cost thousands more.
Hospitals, Vendors, and Manufacturers Must Work Together for Cybersecurity Best Practices
The average healthcare organization spends only about 5% of its budget managing cybersecurity risks, while the balance is devoted to adopting new technologies. This may be unsustainable. “Alarmingly,” says Brookings Institution analyst Darrell M. West, “organizations are expanding their attack surface despite lacking the tools to adequately defend their digital estate.”
In 2022 and beyond, hospitals will need to demand higher standards from their vendors, their IoT service providers, and their teams. That may take the form of rigorous third-party audits of all new connected devices, providing in-house IT leaders with the guidance necessary to enact cybersecurity best practices from the beginning – not after the foxes are running loose in the henhouse.
Likewise, organizations must plan for the worst-case scenario and have an operational continuity plan in place. This requires robust, HIPAA-compliant backup of data that might become inaccessible after being encrypted by a ransomware attack.
It also means adopting a principle of proactive deterrence by making it clear that you and others within your business network will not pay ransom to criminals. With lives in the balance, it is understandable why healthcare executives have made that choice – but it has contributed to the meteoric rise of the average ransomware demand, which increased by more than 500% in 2021.
JP Boyle & Associates is a health information technology search firm in North America, Europe, Asia and the Middle East.
