In This Story
Cybersecurity attacks against the health care industry are rapidly increasing and taking a toll both financially on hospitals and on patient health, according to a new report by Microsoft (MSFT-0.04%).
Specifically, the industry is experiencing a costly surge in ransomware attacks, a type of software attack that blocks access to a victim’s data unless a “ransom” is paid.
The healthcare sector was one of the top 10 most impacted industries by ransomeware attacks in the second quarter this year, according to Microsoft’s threat intelligence team. Disruptions from these attacks cost the industry millions of dollars and resulted in some patients suffering worse health outcomes — in some cases fatal ones.
“A combination of valuable patient data, interconnected medical devices, and small IT/cybersecurity operations staff, which spreads resources thin, can make healthcare organizations prime targets for threat actors,” Microsoft said in its new report.
This fiscal year alone, 389 U.S. healthcare institutions were hit by ransomware, leading to network shutdowns, delays in medical procedures, long wait times, and rescheduled appointments. Overall, ransomware attacks in healthcare have surged by 300% since 2015.
According to one industry report healthcare organizations can lose up to $900,000 per day on downtime — that’s not accounting the cost to pay the ransom.
Traditionally, threat actors — what individuals or groups that target digital systems and networks are called — followed an unspoken rule to not attack healthcare organizations, however, that has changed in recent years.
“Threat actors know that every second that a hospital waits, people’s lives could potentially be lost,” Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, told Quartz. “So there’s that urgency and that pressure where the threat actor then has leverage to potentially get a larger and quicker payday.”
Among 99 healthcare organizations that have reported both paying a ransom and the amount paid, the median payment was $1.5 million, while the average payment stood at $4.4 million.
For example, UnitedHealth Group (UNH+2.79%), the parent company of the largest health insurer in the U.S., confirmed earlier this year that it paid a ransom in relation to a cyberattack on its subsidiary Change Healthcare.
In February, the ransomware group ALPHV breached Change Healthcare, a record and payment manager, resulting in delayed prescriptions and paychecks for healthcare workers. Change processes 14 billion transactions a year, about 6% of all payment in the U.S. health care system.
Ransomware attacks’ impact on patients
Ransomware attacks not only strain the finances of healthcare organizations but also jeopardize patient health outcomes. These attacks can severely disrupt patient care, affecting not just the targeted hospitals but also nearby facilities, which may be overwhelmed by the influx of displaced emergency patients.
“When a hospital is ransomed, they can’t treat patients, but then the hospitals and the surrounding areas have to take all of the incoming patients that would have gone to the ransomed hospital,” said DeGrippo.
A study from the University of California, San Diego looked at how how a ransomware attack against four neighboring hospitals — two which were directly attacked and two that were unaffected — led to longer wait times and additional strain on time-sensitive care.
A ransomware attack led to an increase of over 35% of emergency medical services arrivals at the unaffected hospitals during an attack, according to the study. Patient volume surged 15% at these hospitals.
This added strain to the whole healthcare system in the area and also resulted in increased rates of strokes and heart attacks by 113% and 81%, respectively.
Why the healthcare industry is so vulnerable
Errol Weiss is the chief security officer of the Health-ISAC, the industry’s information sharing and analysis center. The group provides healthcare organizations with the tools to share information on cyber threats. Weiss describers it as “virtual neighborhood watch program.”
Weiss has worked in cybersecurity for over 25 years. He said that one reason health care is particularly susceptible dates back to the 1990's when the industry first started to shift to using electronic records.
“I think the focus in those organizations at the time, as they were investing in all of these electronic health record systems and moving all the data over to those platforms, on being compliant with the HIPAA regulation and ensuring those healthcare records were were kept private, but not necessarily secure and not investing in security,” said Weiss.
Since then, the industry hasn’t invested sufficiently in cybersecurity leading to under resourced teams.
DeGrippo said that a lot of times it’s an organization’s IT team that is tasked with taking on security roles, resulting in situations where teams responsible for fixing a printer or resetting a password are also expected to handle ransomware attacks.
“These staff aren’t really prepared to do big recovery from ransomware and to secure a health care organization against ransomware,” DeGrippo said.
She added that one of the most important things organizations can do to handle ransomware attacks is to understand what actions need to be taken in the event of an incident. This includes knowing who is leading the response, and knowing everyone that needs to sign off on a decision.
Weiss recommended that organizations stay up to date with software updates, backing up their data and testing those backups, as well as to make sure to use multi-factor authentication for accessing accounts remotely.
“With hospitals and healthcare being so focused on urgency, where every second counts every second could potentially mean someone’s life is lost. They need to see ransomware events in the same way,” said DeGrippo.