Why healthcare is an easy target for cyberattacks

hacker in dark room with laptop

The healthcare industry is getting hit more and more frequently by ransomware attacks. Ben Hargreaves finds that hackers are targeting the industry due to the scale of patient data and the need to keep operations running, necessitating new solutions to counter the threat.

The internet has become the lynchpin around which most industries and institutions operate. This has created an opportunity for cybercriminals to utilise various forms of attack, such as botnets or creating ‘back doors’, on networks for financial gain. According to Statista, this form of crime is escalating rapidly and is expected to cost the global economy $13.8 trillion by 2028.

The target of attacks is frequently indiscriminate – instead, the strategy is based on where weaknesses have been found in IT security. This has led to government departments, major corporations, and even entire countries being the subject of cybercrime. Healthcare services are not exempt and are often prime targets for cybercriminals. The World Economic Forum even noted that the average cost of data breaches for the healthcare industry was almost double that of the financial industry, as the organisation called for greater cyber resilience in the sector.

Paying the price

In March, a breach of data occurred related to UnitedHealth’s Change Healthcare unit, in an attack that was described as ‘unprecedented’ by the US Department of Health and Human Services (HHS). The attack was seemingly carried out by the ALPHV/Blackcat hacker group and managed to disrupt systems used to pay for prescriptions and process health reimbursement claims. As part of the cyberattack, the group suggested it had gained access to six terabytes of data, including payment and insurance information, and health records.

The group later claimed that UnitedHealth had paid $22 million to recover the data that had been stolen. Beyond this potential immediate financial loss, the company also paid out more than $3.3 billion to providers affected by the cyberattack. In terms of the damage to its systems, UnitedHealth outlines on its website the return of certain services in relation to the attack. The range of time for the restoration of products ranges from weeks to months.

The case of UnitedHealth is far from the only such incidence of hackers targeting healthcare institutions. According to Emisoft, a cybersecurity company, the number of attacks on hospital systems in the US during 2023 rose to 46, nearly double the figure in 2022. At the end of last year, there was another ransomware attack that targeted Ardent Health Services, an owner and operator of 30 hospitals and over 200 sites of care. The incident forced ambulances to be diverted and the rescheduling of some elective patient procedures. As in the attack against UnitedHealth, Ardent Health took months to restore and recover the systems impacted, as the company noted mid-way through January that it was still working on fully restoring operations.

There has also been at least one hospital closure where a cyberattack was cited as contributing to the decision, as in the case of St. Margaret’s Health, a hospital in Illinois. A 2021 attack reportedly took the hospital months to recover from, preventing computer systems from working and preventing the filing of insurance claims.

Hitting where it hurts

The World Economic Forum stated that 2023 represented the 13th year in a row that the healthcare industry reported the most expensive data breaches. The grave consequences of attacking a healthcare system could be exactly why hackers have chosen to target the industry. If services can be badly compromised, then the urgency to repair them can lead to any ransoms issued being paid in order to avoid any lives lost. In a study, 28% of respondents working in IT services in the healthcare industry reported an increase in mortality rate when hit with ransomware.

The threat is increasing all the time, as the healthcare industry becomes increasingly dependent on digital means of operations, storing data records, and also operating digital medical equipment, such as medical devices.

The nature of hospital and healthcare services being interconnected also means that compromising one part of a system can open up the entirety of the infrastructure to attack. In 2023, HCA Healthcare was breached and the result affected as many as 11 million patients across 180 hospitals and 2,300 ambulatory sites. In 2017, a ransomware attack disrupted the entirety of the UK’s NHS, with a number of NHS trusts badly affected.

Building resilience

The major issue facing the healthcare system is how to navigate the challenge of preventing attacks, whilst also developing a cohesive strategy across countries and regions to deter hackers in the long-term.

In the case of the attack on the NHS in 2017, the solutions were termed ‘simple’ by the National Audit Office in how to protect their IT systems. The infected organisations were found to be using unpatched or unsupported Windows operating systems, making them susceptible to ransomware.

After the case of UnitedHealth, the US HHS announced that it had initiated an investigation into the cyberattack. In December 2023, the department also released a concept paper outlining its cybersecurity strategy for the sector. The paper outlined four actions that it recommended to stakeholders, including publishing performance goals to provide a framework for best practices, and providing new authority and funding to administer incentives for domestic hospitals to implement them.

The World Economic Forum also conducted a workshop on the issue and published three actions to take to build greater ‘cyber resilience’: “educating boards and engaging leadership on the importance of cyber resilience; building relationships and communities between organisations to secure the ecosystem; and developing an industry playbook that includes shared practices amongst the different stakeholders.”

In terms of how to negate the attacks outright, Emisoft recommended in its publication that the ‘only viable mechanism’ that governments can employ to quickly reduce ransomware volumes is to ban ransom payments. Brett Callow, a threat analyst with Emisoft, stated: “Current counter-ransomware strategies amount to little more than building speed bumps and whacking moles. The reality is that we’re not going to defend our way out of this situation, and we’re not going to police our way out of it either […] The only solution is to financially disincentivise attacks by completely prohibiting the payment of demands. At this point, a ban is the only approach that is likely to work.”

However, Emisoft did acknowledge that this approach would be associated with short-term pain for victims of attacks. For the healthcare system, this could mean actual victims – those patients whose care was disrupted or where scheduled procedures were delayed. The reality is that there is no easy solution, but governments worldwide will need to take concerted action in the short-term – as the rates of attacks on the healthcare system are increasing all the time.