ENISA warns of "hacktivism" targeting healthcare and authorities

Tuesday, July 2, 2024

The European Union Agency for Cybersecurity (ENISA) analyzed cyber incidents in healthcare from January 2021 to March 2023. Out of 215 reported incidents in the EU and neighboring countries, most targeted hospitals, health authorities, and agencies. Here are the key insights from the 'ENISA Threat Landscape: Health Sector' report.

Hospitals under attack

In March 2023, a Barcelona hospital clinic faced a cyberattack, leading to the cancellation of 150 interventions and 2000-3000 external consultations. In February 2021, Dax Hospital Center in France experienced a cyberattack that halted its computer system. In April 2024, hackers published 61 GB of patients' data stolen from Simone Veil Hospital in Cannes, France. A recent cyberattack in June 2024 forced London hospitals to rearrange more than 800 planned operations and 700 outpatient appointments.

The list of similar examples of cybersecurity breaches in healthcare is getting longer. Healthcare providers around Europe are facing a new wave of cyberterrorism. After the banking sector improved its resilience against cybercrimes, hackers started focusing on other sectors. Healthcare, with its weak data security and high value of data, has quickly become an attractive target.

Most of the cybersecurity incidents are avoidable

Cyberattacks on healthcare now account for 53% of all incidents, with hospitals being targeted in 42% of cases. Hackers often attack healthcare organizations (14%) and the pharmaceutical industry (9%). Most cybercrimes have been registered in France (43), Spain (25), Germany (24) and the Netherlands (20).

The numbers speak for themselves: the COVID-19 pandemic and Russia's invasion of Ukraine have significantly increased cyberattacks on healthcare. Pro-Russian hacker groups aim not only for ransom but also to destabilize the situation in the European countries allied with Ukraine. The majority of incidents (83%) are driven by financial gain, followed by ideological motivations at 10%, with 6% of incidents classified as unintentional.

According to ENISA, "geopolitical developments and hacktivist activity increased the number of DDoS attacks against hospitals and health authorities in early 2023, reaching 9% of total incidents. This was due to a surge in DDoS attacks by pro-Russian hacktivist groups who aimed to disrupt healthcare providers and health authorities in the EU." ENISA expects this trend to continue.

However, it's ransomware that remains the primary tool for attacks in the healthcare sector, comprising 54% of all cyberattacks, followed by DDoS (Distributed Denial of Service) attacks that aim to paralyze the victim's network with fake internet traffic.

80% of healthcare organizations surveyed reported that more than 61% of incidents were related to hardware and software security vulnerabilities (such as outdated systems and lack of technical security).

Of all incidents, 43% involved data breaches or theft, and 22% aimed to disrupt healthcare services. The most frequent targets were hospitals (89 attacks out of 215 recorded between January 2021 and March 2023), healthcare organizations (30), and the pharmaceutical industry (18). Primary care facilities faced nine attacks during this period. However, considering the three largest threats—AlphV, LockBit, and Vice Society—the ratio of attacks between hospitals and clinics narrows (6:4).

The most affected assets are patient data and electronic health records (30%), non-medical IT systems and networks (28%) and Health Information Systems (23%).

40 days needed to recover from a cyberattack

Catastrophic consequences of cyberattacks include a median cost of €300,000 for a major security incident in the healthcare sector, according to the ENISA NIS Investment 2022 study. Cyberattacks also lead to sanctions and fines by government organizations and cause reputational damage. However, the most dangerous impact is the risk to patient safety, resulting in treatment delays, lack of access to critical data, and postponed operations. Cyberattacks lead to immense stress for medical and administrative staff.

In the event of a successful hacking attack, hospitals typically take an average of 40 days to restore essential organizational efficiency. Dealing with all the consequences can take several months to over a year.

Despite these risks, healthcare facilities remain inadequately protected—only 27% of surveyed organizations in the healthcare sector have a dedicated ransomware defense program and 40% lack employee cybersecurity skills programs.

How to better protect health data

In contrast, a survey by the NIS Collaborative Group shows that 95% of surveyed healthcare organizations struggle with conducting risk assessments, with less than half having performed one.

The ENISA report emphasizes the urgent need for healthcare entities to enhance cyber hygiene. Recommended actions include:

  • encrypted backups of critical data,
  • employee training programs to raise cybersecurity awareness,
  • regular vulnerability scanning to identify and address vulnerabilities,
  • ongoing patching of technical security vulnerabilities through system updates,
  • implementation of robust authentication methods for remote work,
  • cyber incident response plans to ensure that in care of cyberattacks, patients won't be affected,
  • greater involvement of senior management in developing and overseeing cybersecurity strategies, especially given the NIS2 directive's introduction of top management responsibility.

ENISA predicts that attacks on data collected by digital medical devices and wearable devices (such as smartwatches) will increase in the coming years, posing additional threats to patient safety. The report's authors highlight that the actual scale of the attacks is probably much larger: Cyber attacks on health care are underreported in many cases due to concerns about financial consequences and image damage.