The global COVID-19 pandemic exposed existing weaknesses in the healthcare system, also with regard to cybercrime. Unfortunately, healthcare systems are inadequately responding to data security threats, as exemplified by the most devastating cyberattacks in recent years, WannaCry and NotPetya, among others.
In May 2017, WannaCry attacked more than 600 UK healthcare entities, disrupting access to critical information, putting patients’ health and lives at risk, causing tremendous stress to physicians and administrative staff. Have this global attack on healthcare changed something? Not really – in recent years, there has been no progress in the fight against cybercrime. At the same time, the scale of threats continues to grow, and the “infodemic” associated with the COVID-19 pandemic only exacerbates them.
Healthcare needs cyber peace. It needs to be free of all threats so that medical facilities can operate without disruption, i.e. without interruption to data critical to patient care.
Attacks on healthcare services cause direct harm to people and pose a global health risk.
When healthcare providers are attacked, the victims are not just IT infrastructure but primarily people – healthcare workers and patients. When access to medical records and life-saving medical devices is hindered, physicians are robbed of essential work tools. Moreover, disruptions to IT healthcare systems – and dealing with their consequences – are expensive. Not to mention psychological and social damage caused by criminals stealing private information.
Cyberattacks also undermine public trust in digitization. For fear of data leakage, many healthcare providers managers are slowing down investment in IT.
Attacks are increasing and evolving. Hackers are exploiting loopholes in the healthcare sector’s fragile digital infrastructure and weaknesses in the cybersecurity system.
The methods used to attack healthcare are expanding. The COVID-19 pandemic has given rise to new incidents: vaccine research centres have become victims of cyber spying; hackers are demanding ransoms from hospitals to unlock IT systems, which – with people’s lives at stake – often choose to pay the price; health professionals and international health organizations are the target of disinformation campaigns and cyberattacks, aimed at undermining their credibility. As statistics show, the number of data breaches in the healthcare sector increased significantly in 2020.
Hackers take advantage of vulnerable, sometimes outdated digital infrastructure. They know that healthcare facilities have limited budgets to secure data – finding security loopholes is much easier than it is in financial institutions.
Cybersecurity in healthcare services is underfunded. As a result, only large healthcare providers have implemented high-quality cybersecurity systems and procedures. Unfortunately, most suffer from a chronic lack of resources to secure infrastructure, train staff and hire and retain cybersecurity personnel.
Attacks on the healthcare sector are low-risk, high-reward crimes, and hackers often go unpunished.
Attacks on the healthcare sector are a lucrative and global business. They are a global phenomenon, whether they aim to extort ransom from healthcare providers, steal medical records and intellectual property, or undermine public trust. Because healthcare organizations are the “gatekeepers” of highly sensitive information, the health sector is a highly profitable target for cybercriminals.
Attacks on healthcare services are rarely reported to security authorities. Many organizations do not know how to proceed as they do not have adequate procedures for cybersecurity. In addition, fear of criminal or reputational liability makes it even harder to report security incidents, as does a lack of confidence that criminals will be caught and punished.
Facilities do not make full use of legal instruments and existing assistance initiatives.
Many providers are unaware of what assistance measures they can use, either those that can prevent attacks or those offered in the event of data leakage. Likewise, patients are not aware of their rights.
When a data breach already happens, medical facilities often decide to hide it rather than seeking support. This is often due to the belief that specific individuals may be suspected of having loopholes in security procedures that should have been implemented and enforced. At the same time, many providers still have not adapted existing recommendations or systems, such as GDPR, for example.
What needs to be done to strengthen the resistance of the healthcare system to cyberattacks?
Although threats from cybercriminals are steadily increasing, the healthcare system is not powerless against them. Following the WannaCry attacks of 2017, the UK decided to invest £150 million in the National Health Service’s (NHS) IT security. Health providers need financial support to develop their infrastructure and strengthen the digital literacy of their staff. Equally important, national governments should consistently prosecute cybercriminals.
The report: “Playing with Lives: Cyberattacks on Healthcare are Attacks on People” points out such recommendations as:
- Detailed documentation of attacks and analysis of their impact on individual providers, including overall societal impact;
- Improving the preparedness and resistance of the healthcare sector to cyberattacks by:
- investing in cybersecurity infrastructure,
- investing in the development of digital skills of the healthcare workforce,
- development and implementation of security procedures and their systematic review;
- Improving the preparedness of the healthcare system to counter attacks through:
- implementing technical and legal instruments,
- developing cybersecurity guidelines for healthcare facilities,
- setting budgets for ensuring data protection,
- running information campaigns,
- international cooperation and exchange of experience.
- Prosecute healthcare cybercrimes and hold hackers accountable, which requires efficient global cooperation.
- Create a code of good practice for designing healthcare service IT and administrative systems, taking into account the principles of “data protection by design” and “by default.” The IT systems should, for example, enforce the necessity to authorize access to data, define the levels of access rights to specific data, block the activities that may expose data to leakage, and enforce systematic archiving without data. Anti-virus software should be regularly updated; employees must stay informed about possible attacks and be made aware of the tools used by cybercriminals.
