U.S. Hospital Cybersecurity is in Critical Condition

The U.S. healthcare sector’s fragile cybersecurity infrastructure continually suffers from cyberattacks that threaten safe healthcare delivery. In 2020, the first patient death attributed to a ransomware attack occurred (6, 8). Cyberattacks are widespread and frequent; specifically, ransomware attacks increased 102% in 2021 for an average of 1,000 attacks on healthcare entities per week (2). The frequency of attacks has only increased since then; a single healthcare entity currently averages 109 attempted ransomware attacks per week (9). Perhaps even more concerning is the inability to detect these cyberattacks. With their cybersecurity infrastructure crumbling, healthcare entities on average detect attacks 29 days later than organizations in the wider economy, if they even detect them at all (9). In a world that runs on data, increased cybersecurity initiatives for the healthcare sector saves human lives.

WHY THE HEALTHCARE SECTOR IS TARGETED

Healthcare entities are ideal targets for ransomware attacks due to their financially profitable patient data. Patient data typically comprises protected health information (PHI), financial information, personally identifiable information (PII) such as social security numbers, and healthcare intellectual property. Due to its protected status and potential for harm (such as insurance fraud), patient data earns greater profits than other forms of stolen data. Cyber thieves may barter between $10 and $1,000 per health record (2).

Additionally, healthcare entities are primary targets because of weaknesses in their data storage techniques. The HITECH Act passed in 2009 increased patient data accessibility by requiring Electronic Health Record (EHR) storage. This shift in data storage was intended to standardize and boost connectivity between siloed healthcare entities (1). While the increased accessibility of primary patient data reduces pain points in healthcare delivery, it also creates cybersecurity weak points (9). For example, prescription pill data is easily accessible by providers, patients, and medication distributors to ensure timely prescription refills and prescription adherence. Due to its accessibility in multiple healthcare entities, malicious actors have greater points of entry. Additionally, the digitization of medical devices creates an attractive target for hackers to collect data or directly harm patients. An insulin pump with WiFi-connectivity is able to be hacked and disabled remotely and utilized as leverage during ransomware attacks. Patients are typically measured by 10-15 medical devices per hospital visit, enabling a multitude of ransomware-viable pathways arise. With these significant vulnerabilities and great profits in mind, ransomware attacks can only be expected to increase.

EFFECTS ON HEALTHCARE DELIVERY

In a traditional extortion scenario, ransomware actors steal data from an entity and threaten to leak the information unless a payment is received (2). In a healthcare sector context, these extortion scenarios have ripple effects: the patients and medical professionals from which the data was collected are also threatened (2, 9). As a result, these ransomware attacks indirectly demand payment from all three main stakeholders, effectively tripling profits per successful attack (2). Ransomware actors are bolstering profits by tying more stakeholders to their attacks.

Ransomware attacks debilitate the financial and personal security of healthcare entities, medical professionals, and patients (3). Even though two out of three healthcare entities do not pay ransom (10), millions of dollars can still be lost from lack of revenue, as ransomware attacks disrupt care delivery and safety, forcing an indefinite stall on health services. Healthcare entities had an estimated $21 billion in lost revenue and ransomware payments in 2021 (10). As burdensome as this price tag is, the cost to life is even more severe. One in five healthcare ransomware victims experience greater patient mortality rates and 70% face delays in procedures and test results following a ransomware attack (8).

INABILITY TO ADDRESS THE ISSUE

Despite the imminent threat of attacks, the healthcare industry in the U.S. continues to lag behind other industries in terms of cybersecurity (9). The financial industry continues to outpace the healthcare sector in investments, regulations, and fines based on cybersecurity quality. For example, financial institutions must comply with global cybersecurity regulations set by the Payment Card Industry Data Security Standard (PCI DSS) or face hefty fines (9). Meanwhile, the healthcare industry and its regulators have woefully ignored cybersecurity despite warnings from the Cybersecurity and Infrastructure Industry Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) (3).  This is partially due to hospital burdens amid the COVID-19 pandemic distracting from the urgent need for comprehensive cybersecurity (7, 9). In addition, cybersecurity capabilities are not as marketable to the public as new, digitized medical devices (2, 7). As a result, a mere 5% of hospital profit is reserved for IT while a majority is geared toward medical device acquisition (2). This market trend inadvertently widens the attack surface for hackers while lowering cybersecurity protections over time (2, 10).

The implementation challenges of cybersecurity programs further derail data protection efforts. Extensive protocols require consistent upkeep by a dedicated team of IT professionals (2). The required capabilities and manpower for a cybersecurity overhaul is infeasible under current tight and stagnant hospital IT budgets (2, 7, 9, 10).

STEPS MOVING FORWARD

The cybersecurity threat to U.S. healthcare entities is growing. As such, healthcare entities must recognize the financial and health risks associated with successful cyberattacks greatly outweigh the difficulty of increased investment in cybersecurity. Investments in hospital IT specialists trained in cybersecurity will allow greater human surveillance of any potential gaps in protection as well as educate hospital staff on cyber best practices. Hospitals need to look towards new solutions (e.g., matched financing models partnered with the state and federal government) to fund cybersecurity efforts (9).  

The Hippocratic oath of “do no harm” must not only apply to physical patient care, but also to digital information care and protections. It may be too late to protect the patients, hospital staff, and other parties already affected by cyberattacks, but proactive investments can and will prevent future harm.

Works Cited

1. (OCR), Office for Civil Rights. “Hitech Act Enforcement Interim Final Rule.” HHS.gov, 28 June 2021, https://www.hhs.gov/hipaa/for-professionals/special-topics/hitech-act-enforcement-interim-final-rule/index.html.
2. Davis, Jessica. “Ransomware Keeps Healthcare in Crosshairs, Triple Extortion Emerges.” HealthITSecurity, HealthITSecurity, 14 May 2021, https://healthitsecurity.com/news/ransomware-attacks-surge-102-in-2021-as-triple-extortion-emerges.
3. FBI, et al. “Alert (AA20-302A).” CISA, 2 Nov. 2020, https://www.cisa.gov/uscert/ncas/alerts/aa20-302a.
4. Fuglesten Biniek, Jeannie, and Karyn Schwartz. “Limiting Private Insurance Reimbursement to Medicare Rates Would Reduce Health Spending by about $350 Billion in 2021 - Issue Brief.” KFF, 13 Apr. 2021, https://www.kff.org/report-section/limiting-private-insurance-reimbursement-to-medicare-rates-would-reduce-health-spending-by-about-350-billion-in-2021-issue-brief/.
5. Kornreich, Edward. “New Opportunities for Value-Based Care with HHS Finalization of Stark Law, Anti-Kickback Statute, and Civil Monetary Penalties Law Reforms.” The National Law Review, https://www.natlawreview.com/article/new-opportunities-value-based-care-hhs-finalization-stark-law-anti-kickback-statute.
6. Ralston, William. “The Untold Story of a Cyberattack, a Hospital and a Dying Woman.” WIRED UK, 11 Nov. 2020, https://www.wired.co.uk/article/ransomware-hospital-death-germany.
7. Riggi, John. “Why & How to Incorporate Cyber Risk Management into Enterprise Risk Management: Cybersecurity: Center: AHA.” American Hospital Association, 2021, https://www.aha.org/center/cybersecurity-and-risk-advisory-services/why-how-incorporate-cyber-risk-management-enterprise-risk-management.
8. Sabin, Sam. “Hospital Ransomware Attacks Now Have Deadly Consequences.” POLITICO, 4 Oct. 2021, https://www.politico.com/newsletters/weekly-cybersecurity/2021/10/04/hospital-ransomware-attacks-now-have-deadly-consequences-798002.
9. Skahill, Emily, and Darrell M. West. “Why Hospitals and Healthcare Organizations Need to Take Cyber Security More Seriously.” Brookings, Brookings, 9 Aug. 2021, https://www.brookings.edu/blog/techtank/2021/08/09/why-hospitals-and-healthcare-organizations-need-to-take-cybersecurity-more-seriously/.
10. Weiner, Stacy. “The Growing Threat of Ransomware Attacks on Hospitals.” AAMC, 20 July 2021, https://www.aamc.org/news-insights/growing-threat-ransomware-attacks-hospitals.