Healthcare Held to Ransom: Not What the Doctor Ordered

Two-thirds of healthcare organisations were hit by ransomware in 2021. That’s an utterly staggering statistic. Kate O’Flaherty explores why cyber attacks on healthcare organisations are on the rise and makes a diagnosis for a sector under constant attack

Six years ago, in May 2017, one of the most significant cyber attacks in recent history hit the NHS, crippling the UK’s national health service after taking advantage of outdated Windows operating systems. Perpetrated by North Korea and named WannaCry, the ransomware worm took 70,000 medical machines offline, resulted in more than 19,000 cancelled surgeries, tests and appointments and caused one-third of NHS hospitals to close. It was industry-defining.

Three years later, in 2020, ransomware hit healthcare hard again, this time the Düsseldorf University Hospital in Germany. The cyber attack was so devastating that people had to be transported to another hospital, ultimately resulting in the death of a patient.

Cyber attacks on healthcare are a problem that’s getting worse, with ransomware posing the biggest threat. Two-thirds (66%) of healthcare organisations were hit by ransomware in 2021, a dramatic increase from 34% in 2020, according to a 2022 report from cybersecurity firm Sophos.

Diagnosis

Why is the health sector particularly vulnerable? First, there’s the fact that it handles sensitive data, which is extremely valuable to cyber criminals. Then mix in its complexity, lack of resourcing and limited budgets that leave the sector unable to invest in crucial cybersecurity measures. In addition, outdated operating systems are a common finding, while patches can be hard to apply to the critical networks and devices used in healthcare environments.

At the same time, technological change has yet to help fuel robust security in healthcare. In many ways, the sector is “a victim of its own digital transformation success,” says Dr Saif F Abed, founding partner and director of cybersecurity advisory services at The AbedGraham Group.

“The move away from paper medical charts to connected medical devices and clinical decision support systems has revolutionised how clinicians deliver care. However, this has happened without the same investment in understanding the risks of dependence on digital systems and what it means when your supply chain fails,” says Dr Saif F Abed.

“A lot of the NHS, for example, is still reliant on paper documentation, and there is more room for mistakes when it comes to the security of physical data” Emily McMeeking

According to Bharat Mistry, technical director at Trend Micro, most hospitals have a sprawling IT environment mixing digital and legacy technology. This can create major headaches when managing and securing infrastructure, he says.

 Life support

Unsecured medical devices are an easy entry point for attackers. “They’re often not designed with security in mind, and what they do have is difficult to maintain,” says David Horton, a cybersecurity expert at PA Consulting. “This leads to them being unmaintained, and they become easy targets.”

The situation worsens because critical equipment such as drug infusion pumps and MRI scanners can’t easily be taken offline to test patches. “In many cases, they’re running on end-of-life operating systems because newer versions won’t support the equipment,” says Mistry.

If you think things can’t get much worse, think again, because some internet of things (IoT) devices’ endpoints are too small to install security software on.

And then there’s the issue of (lack of) staff awareness, which makes insider threats a “particularly big problem”, says Emily McMeeking, cybersecurity solutions and services manager at consultancy BSS. “A lot of the NHS, for example, is still reliant on paper documentation, and there is more room for mistakes when it comes to the security of physical data.”

Meanwhile, UK public sector healthcare has a compartmentalised structure, which leaves each department deciding how it responds to different threats. “This naturally leads to inefficiencies, increased risk and higher costs,” says Horton, painting a bleak picture.

A cyber tumour

While multiple types of cyber assaults are hitting healthcare, ransomware has become the mainstay, says Abed. “Attacks are perpetrated by organised crime gangs, striking directly or by offering their capabilities to other cyber criminals through ransomware as a service model. These criminals are often harboured in nations that will turn a blind eye to their activities or extradition requests.”

Ransomware is a popular attack method because it causes maximum disruption and can threaten patient safety, increasing the likelihood of a fast payout. “Withholding large amounts of personal data is an attractive commodity for threat actors to sell on dark web markets, allowing a gateway for longer-term attacks through blackmail and fraud,” says Trevor Dearing, director of critical infrastructure solutions at Illumio.

“Two-thirds (66%) of healthcare organisations were hit by ransomware in 2021”

Another type of attack hitting healthcare is distributed denial of service (DDoS), used by politically-motivated groups such as the Russia-linked Killnet. If DDoS means little more than acronym soup to you, let us explain it. A DDoS attack is when a hacker floods a website with traffic, resulting in it being able to work properly or knocking it offline altogether.  “State-backed groups with a lesser financial motivation are providing a new set of worries for healthcare,” Dearing adds.

Targeted attacks tend to be sophisticated and motivated by an interest in a particular patient. Alternatively, attackers could be attracted by information the organisation has shared, suggesting that they will make a good target, says Will Richmond-Coggan, a data breach litigation specialist in the life sciences sector at law firm Freeths.

“There is also the suggestion that some state-sponsored actors will target healthcare providers as part of a wider disruption campaign or to discredit medical testing and research.”

A prescription

 Attacks on healthcare are not going to go away, but there are steps organisations can take to protect themselves. As part of this, a people, process and technology approach is essential, says Abed. “Understand the risk profile of information assets. An outcome-focused gap analysis assessment – driven by patient safety – is an excellent basis for understanding how to prevent incidents and minimise their impact.”

Investment in cybersecurity will also help prevent damaging attacks, says Horton. “This must be intelligence and risk driven, focusing on the areas within the organisation that would gain the biggest benefit.”

Cyber incident exercising can help organisations establish how resilient they are to attack and offers the ability to practice their response in a safe environment. Meanwhile, healthcare organisations must educate staff on online risks, says Horton. “This is to influence behaviour, focusing on actions users can engage in to mitigate threats and vulnerabilities.”

At the same time, regular patching of all key systems and devices is essential, says Richmond-Coggan. “Beyond that, it does come down to how much budget the organisation has to employ cybersecurity specialists and to deploy tools appropriate to the environment and the types of data being protected.”

Yet as the risk grows, organisations need to understand that cybersecurity is not a “one-and-done” activity, says McMeeking. “Regular risk assessments and backups of critical data are integral to enable organisations to implement remediations and mitigate risk, as well as to prevent data loss in the event of a cyber attack.”