By Chuck Brooks And Dr. Alessio Pecorario
The digital environment of health administration, clinics, hospitals, and patients has grown more vulnerable as medical treatment becomes more networked and connected via computers and devices.
According to projections, healthcare cyberattacks will have an impact on over 100 million people in 2023. Attacks aren’t necessarily more frequent than they have been in recent years. However, according to John Riggi, national advisor for cybersecurity for the American Hospital Association, the attacks have caused greater harm and impacted a larger number of people. In 2023, about 100 million people were impacted by healthcare hacks Healthcare cyberattacks have affected more than 100 million people in 2023 (chiefhealthcareexecutive.com)
Given that many hospitals and other healthcare facilities are hesitant to report breaches, particularly if they have paid for ransomware, the number may even be higher.
A ransomware attack recently compelled Ann & Robert H. Lurie Children’s Hospital in Chicago to shut down its email, phone, and medical record systems. More than 220,000 patients are treated annually at Lurie Children’s Hospital, which discovered a breach in its systems on January 31, 2024. The hospital has confirmed that “a known threat actor” obtained access to its systems, but it has not yet disclosed whether ransomware was used or the extent of the data breach.
Also, last December, the ALPHV/BlackCat ransomware group attacked Optum, a UnitedHealth Group (UHG) affiliate. This disruption affected pharmacy transactions nationwide as well as the Change Healthcare platform. they stole 6TB of Change Healthcare’s sensitive data, including:
- Personally identifiable information (PII) belonging to US military/navy personnel
- Medical records
- Dental records
- Payments information
- Claims information
- Patients’ PII including phone numbers, addresses, Social Security numbers, emails, etc.
- 3000+ source code files for Change Healthcare solutions
- and Insurance records
Source: ALPHV/BlackCat threatens to leak data stolen in Change Healthcare cyberattack – Help Net Security
What Makes Healthcare the Target of Cybercrime?
The focus on healthcare by criminal hackers is not unexpected. The digital environment of health administration, clinics, hospitals, and patients has grown more vulnerable as medical treatment becomes more networked and connected via computers and gadgets.
Undoubtedly, Covid-19 and the corresponding rise in staff working remotely have increased cyberattacks targeting the healthcare sector. Hackers exploited an open and disjointed ecosystem due to increased connections, endpoints, and less focused protection. More complex cyberattacks are happening as artificial intelligence continues to grow in 2023 and is increasingly being used in the healthcare industry.
Numerous aspects of the cybersecurity healthcare landscape need to be protected. These include patient privacy protection, medical equipment and device security, and information security networks of hospitals and medical facilities. These components are linked together by networks that have been set up and software programs that enable data exchange. The cornerstones of the healthcare cybersecurity transition are people, procedures, and technology, just like in most other businesses in our rapidly developing digital era.
What Do Cybercriminals Aim to Target?
Healthcare cybersecurity is facing challenges due to the growing dependence on medical devices, including ransomware attacks. “More than half of internet-connected devices used in hospitals have a vulnerability that could put patient safety, confidential data, or the usability of a device at risk,” claims the business Cynerio in their research The State of Healthcare IoT Device Security 2022. 61e70fd9286e1d6d68a86ba8_A Cynerio Report – The State of IoMT Device Security 2022.pdf (webflow.com).
Equipment, including respirators, pumps, monitors, electrocardiograms, lasers, medical applications, and diagnostic imaging systems, are examples of medical equipment. A large number of the equipment, such as IVs and medical infusion pumps, is wireless and uses open airways to transmit data and update software. This creates the opportunity for remote exploits of threat vectors. Due to these dangers, the Food and Drug Administration recently appointed Kevin Fu as the first Acting Director of Medical Device Cybersecurity in the agency’s Center for Devices and Radiological Health.
While many healthcare facilities are moving to the clouds and experiencing digital transformation, they have not yet prepared for the cyber dangers that they will face throughout their operations. According to an AT&T Cybersecurity Insight Report from 2022, edge and cloud assets are becoming more and more critical to healthcare concerns. They discovered that the cyberthreats that most concerned 63.8% of healthcare firms were attacks on servers or data at the network edge. Furthermore, according to 63.4% of healthcare organizations, attacks on related cloud workloads rank among the most dangerous ones that could happen in the future. Healthcare Is the Main Topic of the AT&T Cybersecurity Insights Report | AT&T Cybersecurity Insights Report: A Focus on Healthcare | AT&T Cybersecurity (att.com).
Hackers also like to attack healthcare records in addition to networks and devices. Healthcare stakeholders place the highest premium on protecting patient privacy. Legislators and federal agencies periodically assess HIPAA compliance as well as other regulatory security procedures. The HIPAA Security Rule directs the privacy and security protocols for Electronic Health Records (HER). The Security Rule establishes federal guidelines for implementing technological and physical security measures to preserve the availability, confidentiality, and integrity of electronically protected health information.
A proposed update to NIST’s Special Publication 800-66r1, which serves as a cybersecurity guidance for healthcare providers, was just released. Their document tries to promote awareness of the security requirements 371 contained in the HIPAA Security Rule and includes extended recommendations on risk assessments and risk management. NIST SP 800-66r2 initial public draft, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide.
The fact that the majority of healthcare facilities place other financial priorities ahead of cybersecurity, such as acquiring the newest medical and hospital technologies, is particularly noteworthy in explaining the rise in targeted cyberattacks. Hospital administrators have historically considered cybersecurity to be a low-priority item. However, with the epidemic of ransomware attacks and hacks that have occurred since COVID, cybersecurity is now a top priority, and all institutions are investing in cybersecurity technologies, managed security, and cyber expertise.
The Preferred Attack Method: Ransomware
Criminal hackers view healthcare facilities as approachable targets where they can reap immediate financial rewards. Hackers may steal medical records that have resale value on the Dark Web. When it comes to attacks on the healthcare business, several criminal hacking groups have made ransomware extortion their technique of choice. The rationale for this has been the high probability that hospital administrators may use ransom payments to regain operational control over their facilities, thereby lowering liability and endangering patient safety. In addition to wanting to safeguard their reputations, hospitals and other healthcare facilities also prefer to keep cybersecurity problems private.
34% of healthcare businesses worldwide reported having experienced ransomware attacks in the previous year, according to a survey by the company Sophos conducted between January and February 2021. Additionally, their poll revealed that the most frequent reason (57%) given by the 63% of healthcare businesses that were not affected by ransomware but anticipate being in the future is that other healthcare-related firms have already been targeted. According to 55% of respondents, the sophistication of ransomware attacks is making them harder to halt. sophos-state-of-ransomware-in-healthcare-2021-wp.pdf.
The Healthcare Tech Ecosystem through the Lenses of the Integral Cybersecurity Paradigm
As stated by Stephane Dugin, CEO of the Cyber Peace Institute, at the WEF in 221, “A cyberattack on healthcare is more than an attack on computers. It is an attack on vulnerable people and the people who are involved in their care”. The healthcare system is paramount to human dignity. It’s hard to imagine anything more cynical than holding a hospital to ransom, but as we have just seen, that is exactly what’s happening with growing frequency and sophistication.
Improving risk management, increasing investment in cybersecurity to secure infrastructure, practicing good cyber hygiene, and all the other measures we have suggested so far should be part of a broader, integral approach to cybersecurity, which is more urgent and relevant than ever before. For the purpose of this publication, this means connecting the safety of the healthcare system to the whole human person, not just his/her material and physical dimension. Within the human quest for health, therefore, we need to address all the relational dimensions of the person, with oneself, the other human beings and society as a whole. Secondly, any technical response is ultimately too big for individual organizations to solve alone. Governments must take proactive steps to protect the healthcare sector. They must raise the capacity of their national law enforcement agencies and judiciary to act in the event of extraterritorial cases so that threat actors are held to account. This requires political will and international cooperation of governments, including for investigation and prosecution of threat actors.
As we have suggested in previous publications, as it happens in the case of the oceans, the outer space, the cultural patrimonies, etc., cyberspace needs to be understood as a common good —by definition, a global network— whose protection necessitates transnational dialogue, concerted actions and a global regulatory framework. If we consider our natural environment as a collective home, shared by everyone, to be protected for the benefit of the whole of humanity, then the preservation of this common good, and all its natural resources, is a vital necessity and very often also a condition for peace. From this, it must necessarily follow that we should consider the artificial environment that technology has similarly developed in the modern age.
Cybersecurity in Healthcare and Risk Management
Like most cybersecurity components, risk management—which includes using both business and government leadership in addition to technology—is the key to safeguarding hospitals and healthcare institutions. The Department of Homeland Security has designated healthcare as vital infrastructure, meaning that industry standards and protections must be in place to defend it.
Healthcare companies begin the process of protecting sensitive data by putting intrusion detection and response capabilities in place, doing frequent security assessments and penetration testing, and so on. These procedures can also be used to detect possible insider threats and lessen the impact of bot attacks and incorrect IT configurations.
Hospitals and other healthcare facilities should follow the advice of NIST and other risk management advisory bodies and practice good cyber hygiene, which includes multifactor authentication and staff training. They should also use multilayer security, multiple firewalls, and real-time monitoring of their networked systems. It’s also advised that medical gadgets be encrypted to lower security hazards. Hospitals and other healthcare facilities ought to have backup, recovery, and continuity plans in place. The dangers are too great to ignore the need for a comprehensive strategy in holistic cybersecurity.
In summary, healthcare is a vital resource for people and the global economy, and it plays a crucial role in our general health and final demise. Investments must be made to fortify the cybersecurity of all these health-related businesses against potential cyberattacks, as we are all at risk. Increases in these investments are both urgent and warranted.
About the Authors:
Chuck Brooks serves as President and Consultant of Brooks Consulting International with over 25 years of experience in cybersecurity, emerging technologies, marketing, business development, and government relations. Chuck also serves as an Adjunct Professor at Georgetown University in the Cyber Risk Management Program, where he teaches graduate courses on risk management, homeland security, and cybersecurity. Chuck was named the top cybersecurity expert to follow on social media, and also as one top cybersecurity leaders for 2024. He has also been named “Cybersecurity Person of the Year” by Cyber Express, Cybersecurity Marketer of the Year, and a “Top 5 Tech Person to Follow” by LinkedIn” where he has 116,000 followers on his profile. In his career, Chuck has received presidential appointments for executive service by two U.S. presidents and served as the first Director of Legislative Affairs at the DHS Science & Technology Directorate. He has also served in executive roles for companies such as General Dynamics, Rapiscan, and Xerox. Chuck has an MA from the University of Chicago, a BA from DePauw University, and a certificate in International Law from The Hague Academy of International Law.
Alessio Pecorario is a Vatican Official, cybersecurity, and new technologies expert. Alessio’s passions and skills are at the service of human dignity and the planet, with integral human development in the digital age as a foundation. As a PhD in constitutional comparative law, he has over 15 years of experience in sensitive roles in European and Vatican Institutions, including the coordination of the Security Task Force, within the Vatican Covid-19 Commission (VCC). Alessio Pecorario’s field of expertise is very rich and diversified, covering several domains of political science, with a specific focus on new technologies and internationally related security issues (especially cyber). Besides, in all his activities, Dr. Pecorario tries to foster a proper ecumenical, interreligious, and intercultural approach, in collaboration with numerous partners from other faith traditions and secular contexts. Alessio is part of Astana Club the Minerva Dialogues, an assembly that brings together experts from the world of technology – scientists, engineers, business leaders, lawyers, and philosophers – of Silicon Valley and representatives of the Church – curial officials, theologians, and ethicists – to study and foster greater awareness of the social and cultural impact of digital technologies, particularly artificial intelligence.
Read the full article here