Healthcare has emerged as a prime target for cybercriminals, with recent attacks posing immense threats to patient care, safety, and data security. Several notable incidents have disrupted critical operations, compromised highly sensitive information, and cost healthcare organizations millions of dollars in remediation efforts. This blog examines several high profile attacks against healthcare organisations and provides recommendations for bolstering defenses.
Recent Cyberattacks on Healthcare
In February 2024, Lurie Children's Hospital in Chicago suffered an outage that persisted for over a week after identifying a cybersecurity incident. With systems offline, medical teams could not access electronic health records, prescription information, or medical histories for patients. Scheduling appointments also became difficult without functional databases. While details were limited, the hospital confirmed it was working with law enforcement and third-party forensic experts to investigate the attack's origin and impact.
Meanwhile, a ransomware attack on Change Healthcare, a major provider of health IT and revenue cycle management services, impacted over 31,000 medical facilities nationwide. According to the American Medical Association (AMA), the Change Healthcare hack cost providers over $100 million daily in lost revenue given the disruption to administrative and care coordination capabilities. The outage prevented electronic prescriptions, stalled insurance claim submissions, and caused appointment delays.
Evidence later revealed the Russia-based ransomware group ALPHV (also known as BlackCat) orchestrated the Change Healthcare attack and received a $22 million payment. This represents one of the largest ransoms on record paid by a healthcare organization. The AMA urged the Department of Health and Human Services (HHS) to provide emergency aid and regulatory flexibility to help physicians continue serving patients amidst the outage.
Broader Impacts on Healthcare Delivery
These attacks had devastating consequences that extended far beyond the victim organizations. With records made inaccessible, care coordination suffered as doctors could not access medical histories, allergy information, or prescription details. Pharmacies were unable to fill prescriptions, preventing patients from obtaining needed medications.
Appointments and procedures were delayed or canceled entirely. Some hospitals had to reroute ambulances during the outages. Furthermore, communication channels between specialists, primary care physicians, and patients were severed, compromising care quality and patient safety.
On the financial side, temporary shutdowns led to massive revenue losses in affected hospitals and clinics. This is especially challenging for smaller community providers with more limited budgets. According to analysts, hospitals may require months to recover from large-scale attacks.
Ongoing Cybersecurity Challenges for Healthcare
While healthcare faces increasing digitization of patient data and operations, security measures are not keeping pace with the level of risk. Despite expanding threats, healthcare systems often lack resources to adequately invest in security tools, ongoing training, and incident response plans. Attempts to balance accessibility of records with privacy and compliance needs also pose challenges.
The highly sensitive nature of patient health data makes it particularly lucrative for attackers. Stolen records can fetch high prices on the dark web and be used for insurance fraud or identity theft. There are also concerns about cybercriminals directly threatening patient lives by tampering with records or treatment instructions.
With third parties like IT vendors acting as conduits, the cybersecurity posture of every organization in the healthcare supply chain matters. The Change Healthcare example demonstrates how a breach of even one vendor can unleash chaos industry-wide. (See our recent blog for more on the cyber security challenges in healthcare).
Recommendations for Improving Healthcare Cybersecurity
To strengthen defenses against growing and evolving threats, we recommend healthcare organizations should:
- Conduct comprehensive risk assessments to identify security gaps in systems, processes, vendor networks, etc.
- Implement 24/7 monitoring, encryption, endpoint detection, and access controls to better prevent, detect, and halt attacks.
- Mandate cybersecurity training for all staff - from executives to nurses - to raise awareness and prevent issues like phishing.
- Develop and test incident response plans to contain damages and restore operations faster after attacks.
- Ensure backup systems and contingency plans are in place to maintain continuity of care if systems go down.
- Work closely with IT vendors, business associates, and business partners to verify their cybersecurity measures are robust.
Increased collaboration and information sharing between healthcare providers, public health agencies, law enforcement, and cybersecurity experts will also help combat systemic threats proactively.
The recent spike in disruptive attacks shows cybersecurity requires urgent and sustained attention from the healthcare sector. Organizations that take a proactive stance will be better positioned to safeguard data integrity, reduce damages, and ensure patient safety if hackers strike.
Looking for support in securing your healthcare organization? Get in touch.
Author: Kelechi Onyedebelu, Principal Lead Consultant
First Published: 03/06/2024