Hospitals on the front lines are under pressure from more deadly cyberattacks.
Over the previous three years, as the Covid-19 pandemic spread over the world, cybercriminals took advantage of the chaos and routinely shut down hospital networks when they were least prepared to respond. Increased fatalities, surgeries being postponed, and emergency services being reduced as a result.
The equation for how to react to destructive hacks at sites inside the United States and in international wars like the Ukraine is evolving as a result of cyberstrikes that result in fatalities. The perception that cyberattacks are less serious forms of warfare than missile strikes may be shifting as they target hospitals and become more deadly.
According to John Riggi, the American Hospital Association’s national adviser for cybersecurity and risk, it is time to “consider these types of attacks, ransomware attacks on hospitals, as threat-to-life crimes, not financial crimes.” One of the most frequent attacks on healthcare facilities has been ransomware, in which hackers encrypt networks and demand payment to decrypt them.
There are certain hospital deaths that can be directly linked to a cyberattack, despite the fact that data are difficult to get due to the range of contributing circumstances and the fact that deaths might occur weeks or months after a treatment disruption.
According to a 2021 study by Proofpoint and the Ponemon Institute that polled more than 600 healthcare facilities, fatality rates rose at 25% of them after a ransomware attack. A ransomware assault in 2020 resulted in the closure of an emergency department at a hospital in Düsseldorf, Germany, and the death of a patient in an ambulance while it was being diverted to another facility. Following the death of her newborn child in 2020, a lady filed a lawsuit against an Alabama hospital, claiming that due to a cyberattack on the facility, doctors had neglected to do crucial prenatal testing, causing the baby to be born with the cord wrapped around its neck. She claimed that as a result, the baby had brain damage and passed away a few months later.
Additionally, the frequency of these cyberattacks has been rising.
In terms of the number of cyberattacks against U.S. health care and the quantity of sensitive patient information that has been either stolen or compromised by these foreign-based cyber enemies, 2022 unfortunately appears to be another record year, according to Riggi.
Most cyberattacks in the U.S. still do the most immediate harm to firms’ profits or peoples’ data, which hackers frequently steal. However, the government has also identified 16 sectors of “critical infrastructure,” including health care, where a computer strike might seriously impede civilian services.
Hospital cybersecurity is going to be a top concern for the Biden administration in the coming year because it won’t stand by and do nothing. This, according to a senior administration official who requested anonymity in order to provide more information, might entail issuing executive orders requiring specific health care cybersecurity standards or assisting with legislative initiatives on the subject.
Hospitals are a relatively niche industry. We are deeply concerned about that,” the official declared.
In an interview, Nitin Natarajan, the deputy head of the Cybersecurity and Infrastructure Security Agency, cautioned that over the next years and “as time goes on,” hospitals will need to focus more and more on cybersecurity.
It is obvious that hospital attacks have seriously impacted patient care, even in the absence of data linking hackers to deaths. The personal information of over 600,000 patients, including electronic medical records, were compromised in a 2022 attack on CommonSpirit Health, the second-largest non-profit health system in the country. One child is said to have unintentionally received five times the recommended dosage of medication as a result. Three hospitals in New York were attacked in November, forcing doctors to use paper records and causing delays in patient treatment.
The average cyberattack on a health care system prevents patients from receiving care for 19 days, according to research from the CyberPeace Institute. In one instance, a cyberattack caused a four-month interruption in medical services.
Several hospitals are currently receiving assistance from Mandiant Consulting, according to Charles Carmakal, chief technology officer, to help them recover from cyberattacks. The recovery of the companies’ IT systems and the restoration of normal caregiving activities, he said, “frequently takes weeks.”
The issue is widespread. Last year, a ransomware attack on Ireland’s healthcare agency disrupted patient services for months, including in the cancellation of Covid-19 vaccinations, pregnancy visits, and cancer treatment appointments. And earlier this month, after its phone and computer systems were encrypted, a hospital in the suburbs of Paris was compelled to move neonatal and intensive care patients to other institutions.
And it’s a dynamic that might be at play as the United States and its allies attempt to determine how to balance cyberattacks in armed conflict.
Following Russia’s invasion of Ukraine earlier this year, there were concerns that Moscow may carry out destructive cyberattacks against Ukraine and surrounding NATO nations. That might activate NATO’s Article Five provision, which specifies that an attack on one member is deemed an attack on all members. Although a cyberattack hasn’t yet resulted in the employment of this clause, an attack on a hospital that resulted in fatalities or severe human suffering may certainly support it.