The Healthcare Sector is Still Under Siege by Cybercriminals
Although every industry has been impacted by cyberattacks during the unprecedented wave of cybercrime in 2020, the healthcare sector really experienced a disproportionate share. That wasn’t good news in the middle of a global pandemic that was driving already challenged healthcare organizations to the brink and beyond in the worst health crisis in generations. Cybercriminals saw an opportunity and they took it – confirmed data breaches in the healthcare industry increased by 58% in 2020. Now industry experts are wrestling with a thorny question: are healthcare cyberattacks a legitimate public health crisis?
No one disputes that cyberattacks against hospitals, health systems, research facilities, pharmaceutical manufacturers and even temperature-controlled transportation were incredibly disruptive to the COVID-19 pandemic response around the world. Experts estimate that the healthcare sector alone lost $25 billion alone last year and an estimated 27% of all cyberattacks in 2020 targeted healthcare organizations. That’s not including pharmaceutical companies, research facilities, testing laboratories, equipment manufacturers, technology providers, insurance companies and myriad other healthcare-related businesses.
This onslaught led to huge problems exactly when hospitals and clinics couldn’t stand to have anything else go wrong. Unfortunately, according to researchers at Blackberry, healthcare sector businesses are the most likely to pay ransoms, making them extremely attractive targets. The information gained in healthcare data breaches is also exceptionally desirable and valuable. During the race to develop a COVID-19 vaccine, the pressure was on pharmaceutical companies, with three major contenders breached in one week at the peak of the pressure. Two specific outcomes for healthcare-related cyberattacks have made an especially strong case for healthcare cybercrime constituting a public health crisis.
Ransomware attacks against every target soared in 2020, and healthcare was no exception. Attacks against healthcare organizations dramatically increased in Q4 2020, with a month-over-month increase of about 45%in early November. That followed an alarming 71% spike in October. Researchers noted that on average, businesses and organizations faced an average of 440 ransomware attacks per week in October 2020 – and by the end of November 2020 that number climbed to 626 — nearly 90 attacks every single day.
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of Health and Human Services (HHS) didn’t wait to make a pronouncement about the status of ransomware attacks on healthcare targets. CISA, FBI and HHS joined together in a rare joint warningthe healthcare sector on October 28, 2020, to be on high alert for a new flood of attacks and continuing pressure, including potential activity by nation-state threat actors. Private security experts agree that it was the right call. At the time, the alert specifically called out TrickBot ransomware, but the suggested precautions would offer healthcare organizations strong protection against most other types of ransomware as well.
Care Continuum Impacts
The most feared result of potential cyberattacks against healthcare targets is a disruption in care. Many hospital systems experienced IT outages as a result of cyberattacks that caused serious problems. In some cases, hospitals were forced to resort to old-fashioned written records during these outages, or they experienced an inability to access important test results, scans, x-rays and other important patient information. Universal Health Services (UHS), a nationwide hospital and health facility operator in the US, experienced a massive IT network outage in late September 2020. The company was forced to disconnected its IT system after identifying a malware attack. The outage lasted for eight days in the middle of a pandemic wave, creating more stress for already overburdened medical; staffers in its facilities. In hundreds of UHS healthcare facilities across the US, healthcare workers were forced to resort to cumbersome downtime protocols and paper records during the outage.
It wasn’t just hospitals who have felt the pinch. Just last week, scores of US hospitals were impacted by a security breach at a specialist provider of equipment for cancer treatments. Supply chain and third-party riskhas been a nightmare for every industry in the last 12 months. Swedish oncology and radiology system provider Elekta’s announcement of a data security incident, purported to be ransomware, was a heavy blow to 42 hospitals that were reliant on its first-generation cloud-based storage system. This led to an inability for providers to access the precise notes and details of radiotherapy treatments for patients. Yale New Haven Health in Connecticut was forced to take its radiation equipment offline for over a week, resulting in many of the hospital’s cancer patients being transferred to other providers with little notice. Care disruptions are an unfortunate reality for many hospitals, and that makes cybercrime like this a public health emergency.