UMC Health System in Lubbock, Texas encountered an IT outage on September 27, 2024, resulting from a cybersecurity event that temporarily redirected patients to other medical facilities. This year alone, healthcare organizations have faced 386 cyber intrusions. These impactful ransomware assaults disrupt and hinder patient care processes.
Over the past few years, numerous healthcare systems, such as Scripps Health, Universal Health Services, Vastaamo, Sky Lakes, and the University of Vermont, have paid exorbitant sums — sometimes in the tens of millions — to recover data following a cyber incident or data breach. The repercussions of cyber onslaught on healthcare systems go beyond workflow disruptions and data endangerment, extending into compromising patient safety, risking loss of vital information, and potential disappearance or ransom holding of imaging and lab outcomes, creating hardships or impossibilities in physicians’ duties.
Indeed, cyber strikes against medical facilities are considerably more frequent than commonly presumed. A recent report by Ponemon and Proofpoint revealed that 92% of healthcare entities encountered a cyber incident within the last year. Even more alarming is that roughly half of the affected establishments faced disruptions in patient care services.
Soft Spots in Healthcare Systems
Hackers view healthcare institutions as easy targets for numerous reasons, as noted by Matthew Radolec, Vice President of Incident Response and Cloud Operations at Varonis, a data protection firm. “Primarily, they represent a fusion of multiple healthcare systems that are interconnected,” Radolec mentioned. “Many hospitals are linked to other medical facilities or tied to educational organizations, thus sharing their computer susceptibilities… and if a problem arises, it could quickly spread to your network.”
Another contributing factor is the expenses associated with safeguarding data. “In the case of hospitals, they often argue that every dollar allocated to security is a dollar not allocated to patient care,” Radolec elaborated. “Hence, the notion of investing in security becomes quite arduous from a fiscal perspective… they often face the dilemma of choosing between acquiring a new MRI machine or enhancing their antivirus, backups, or data security.”
Owing to the wealth of confidential data and medical records they retain, hospitals are deemed “high impact” targets for cyber felons. Intruders are aware that breaching a hospital makes it more probable to yield ransom payments promptly, as Radolec told Medscape Medical News. Hospitals also tend to possess cyber insurance to mitigate the costs when their data is pilfered, encrypted, and held for ransom.
The 2024 Microsoft Digital Defense Report further indicates that malicious agents are growing more sophisticated and resourceful, posing challenges even for the most robust cybersecurity protocols. Enhanced defenses may not suffice, and the sheer onslaught of attacks necessitates effective deterrence strategies and governmental interventions imposing repercussions on cyber offenders.
Exposed Users
Whether through a phishing email, password breach, or web intrusion, “the moment a ‘hostile actor’ infiltrates your institution and obtains credentials… it signifies the Nirvana state for an adversary,” cautioned Ryan Witt, Chair of the Healthcare Customer Advisory Board and Vice President of Industry Solutions at Proofpoint, a cybersecurity platform. “They seize those credentials and proceed to deep reconnaissance. Healthcare facilities often require up to 6 months to confirm if an intrusion has transpired within their network.” Throughout this time, malefactors study the institution’s operational dynamics, critical job functions, and optimal attack strategies.
“Attackers succeed by acquiring databases containing usernames and passwords. They then test these credentials in the millions,” Radolec added. “For a skilled aggressor, success relies on patience and motivation. They possess the required expertise; the key factor is the level of their persistence.”
Certain categories of hospital personnel are more prone to cyber threats than others. “Approximately 10% of a healthcare organization’s user base exhibit heightened susceptibility for various reasons — their work practices, job title significance, and consequent system access,” noted Witt.
High-profile staff members are likelier targets compared to those in lower-tier positions; the so-called “CEO attack” is commonplace. Yet, employees in other hospital sectors fall prey to cybercriminal activities, including hospice departments/hospice establishments and research departments of medical institutions.
The Ramifications of Cyber Offensives
Although physicians and healthcare administrators formerly regarded cybersecurity mainly as a compliance obligation rather than an authentic hazard to patients, this mindset is rapidly shifting. “The correlation between a cyber incident and its impact on patient care and safety is becoming increasingly apparent,” Witt stated.
As per the Proofpoint report, cyber infractions can drastically impede patient care. In 2024:
- 56% of participants witnessed delays in patient tests/procedures
- 53% reported heightened patient complications from medical procedures
- 52% observed extended patient hospital stays
- 44% noted increased patient transfers to alternative facilities
- 28% encountered a rise in mortality rates
Actions for Hospitals and Physicians
Fortunately, medical centers can implement strategies to bolster their data security and patient welfare. One approach involves segregating networks to curtail the access of a single individual or system to vast quantities of data or systems. Educating staff about the perils of phishing and spoofed emails can fortify organizations against ransomware infiltrations. Encouraging personnel to refrain from password reuse and regularly updating login credentials enhances security measures.
Most hospitals necessitate more fortified security protocols. Physicians and healthcare establishments ought to embrace cybersecurity measures akin to those prevalent in different industries, according to Witt. “Multifactor validation may sometimes seem burdensome,” he acknowledged, “yet it holds immense value overall… and should become a standard practice.”
Additionally, practitioners can brace themselves against ransomware assaults and safeguard patients by resorting to traditional medical practices such as employing paper-based systems and upkeeping meticulous patient records — often, these records are synchronized locally as well as offsite, ensuring accessibility even in the event of a data breach. “It’s wise to occasionally jot down prescriptions on physical pads,” Radolec suggested. “Don’t neglect these habits, as they can bolster your resilience in case of a ransomware strike.”
A Persisting Menace
Cyberattacks will persist. “Considering the elevated probability of triumph and the vulnerability of soft targets, an ideal storm emerges,” Radolec remarked. “Hospitals exhibit numerous vulnerabilities. They must perpetuate their operations not solely to generate revenue but also to provide care to individuals.”
This underscores the responsibility resting on healthcare entities — encompassing physicians, nurses, staff, and senior executives — to uphold the “security” component within cybersecurity. “We all contribute to cybersecurity defense,” Witt stressed. Assisting in maintaining this defense has evolved as a pivotal aspect of patient care.
Kelly K. James, a freelancer, content curator, and author of The Book That (Almost) Got Me Fired: How I (Barely) Survived a Year in Corporate America. She explores health/wellness, business/career, and psychology themes from her residence in the Chicago suburbs.
About Author
