While we were battling the COVID-19 virus in 2020, other infections were also happening, albeit in other, digital systems. We are, of course, talking about cyberattacks. These involve digital viruses infecting IT systems and disrupting potentially life-saving processes until after paying a ransom. No honour among thieves, goes the saying; not even during a pandemic. Indeed, as global technology company Acronis noted, there was a rise in ransomware cases at the start of the COVID-19 outbreak.
From 2016 to 2021, the annual number of ransomware attacks on healthcare organizations more than doubled from 43 to 91, exposing the personal health information of nearly 42 million patients – a cohort study of 374 ransomware attacks revealed. Almost half of ransomware attacks disrupted the delivery of healthcare, the most common problems including electronic system downtime, cancellations of scheduled care, and ambulance diversion.
Fighting back by decrypting ransomware
If we visit the HIPAA cybersecurity page we are inundated with news reports about such cases. And while these seem to increasingly target large healthcare organizations, they can be devastating for small clinics.
However, there is an exciting new development in fighting these attacks. An unnamed 240-bed Ohio hospital fell victim to cybercriminals who managed to breach its network and encrypt critical systems, including the Electronic Health Record (EHR) system, patient scheduling services, and domain controllers governing in-suite systems and medical devices.
Cyberattacks like this cause disturbances and emergency situations in hospitals on a regional level, where suddenly everyone faces increased wait times and overwhelmed emergency departments (ED).
According to this case study from Nubeva, using their LockBit decrypting tool “the hospital successfully reversed the encryption and restored critical systems quickly. This led to minimized downtime and a swift return to normal operations. (…) the intervention reduced data loss and eliminated the need for a costly ransom payment, resulting in significant financial savings for the hospital.” According to Nubeva, the hospital was able to reduce recovery time to 4 days from an average of 21 days.
Discussion about cyberthreats is and will increasingly be crucial in the medical field so as to better address and prevent them. This issue is particularly concerning as the world is increasingly turning to digital solutions to address capacity shortages.
However, these discussions should not revolve only around strengthening the IT infrastructure with anti-malware. This won’t cut it as, in addition to the technological component, there’s very much a social component in hacking into healthcare facilities. Let’s decrypt how this is the case, and consider additional measures that all of us can take to further secure our healthcare institutions and their precious data.
The larger trend in ransomware in healthcare
Ransomware “infections” happen not through pathogens but rather by hackers. The latter infect IT systems with malwares or digital viruses to encrypt crucial files. These paralyse whole infrastructures as that information is inaccessible until after paying the required demands, usually through cryptocurrency.
Such cyberattacks on hospitals were commonplace well before the pandemic. One of the high-profile ones happened back in 2017 with the WannaCry attacks on 61 NHS institutions. It led to the cancellation of operations and clinical appointments, loss of internet connection in hospitals and diverted patients from emergency departments even one week after the incident. But the trend persisted in the following years.
Some of these cyberthreats could have long-term consequences. One example is that of the ransomware attack on Rangely District Hospital, a nonprofit critical access hospital. It left 5 years of patient records inaccessible.
And it’s not just cases that have been on the rise but the demands as well. According to these HIPAA statistics, in 2021, the average ransomware payment in the healthcare industry was $197,000, an increase of 33% from 2020. Similarly, antivirus firm Emsisoft found that average ransomware demands increased from about $5,000 in 2018 to about $200,000; with demands for multimillion-dollar ransoms becoming more and more common.
As these concerning trends amplify, management of healthcare institutions should better equip themselves to avert cybercrime. And for that, we have to understand that it does not only rely on the technological aspect but also on the social one.
Social hacking as the access key
Now, when thinking about a cyber attack, the image that might come to mind might be about tech-savvy hackers as depicted in Mr. Robot or The Matrix. However, this notion popularised in pop culture is not the whole part of the equation. In fact, there is very much a “social hacking” component in cyberattacks.
- More than 90% of all cyberattacks against healthcare industries take the form of phishing scams
- In a study simulating phishing campaigns against healthcare organizations, nearly 1 in 7 of the fake phishing emails sent were clicked on by healthcare employees
- Only 16% of healthcare employees believe that they understand the risks posed by social engineering cybersecurity threats
- 45% of healthcare cybersecurity professionals stated that a phishing attack was responsible for the most severe data breach experienced by their organization. And:
- 71% of incidents involved general email phishing, 67% involved spear-phishing, 27% voice phishing (vishing), 27% whaling, 23% business email compromise, 21% SMS phishing, 20% phishing website, 16% social media phishing, 3% pharming and 2% deepfakes
Rather than exploiting technical vulnerabilities, social hacking or social engineering involves exploiting those vulnerabilities in human psychology to circumvent security technology. Famous hacker Kevin Mitnick terms humans as “the weakest link in any security system.” Mitnick popularised the term ‘social engineering’ in the ’90s, and his scams exemplify how breaching into tech systems is possible with this method.
One example is when he accessed the OS development servers of Digital Equipment Corporation in 1979. He did so by posing as one of the lead developers over a phone call. Claiming that he couldn’t log in, he was immediately given new credentials to do just that.
Not much has changed since then as a similar method was used to control a U.S. Department of Justice (DoJ) email address in 2016. A hacker, postulating as a new employee, gently persuaded a help desk colleague to provide an access token for the DoJ intranet.
As such, when considering methods to curb cyberthreats, it’s also paramount to educate personnel about ways they can be duped. In the next section, we’ll take a look at the measures that can be taken in this regard.
Adequate protection lies in humans, not just in technology
Sure, securing computerised systems in healthcare organisations will require investing in proper technological tools. We previously talked to Istvan Lam, Founder and CEO of Hungarian data privacy company Tresorit, who emphasised this. “Two things are key in prevention,” Lam explained. “First, healthcare institutions and organisations should use anti-virus software with anti-ransomware protection to protect themselves. Second, it is crucial for everyone to update operating systems and software applications.”
Hundreds of billions are already spent annually on cybersecurity globally on such tools. But spending a fraction of these on educating employees about social hacking should also be imperative. Indeed, even CEOs aren’t impervious to such cyberthreats as security company Rapid7 showed. In a simulated phishing attack by the company, 45 CEOs, or 75% of the total group in attendance, fell for at least one phishing campaign.
Thankfully, there are some ways to counter social hacking and here are a few examples:
1. Increase exposure to cyberthreats
One way to increase awareness of cybersecurity is to increase exposure to those threats via frequent simulations. During its cybersecurity events, Rapid7 noticed that people exposed to suspicious activity had a strong instinct to report subsequent ones they came across.
2. Familiarise staff with each other
Other experts recommend including everyone from top management to new recruits in training and awareness sessions about cyberthreats. That’s because it’s often newcomers to an organisation that get tricked into thinking they are conversing with an executive about an urgent issue that requires bypassing normal protocols.
3. Raise red flags about suspicious activity
Another easy method to counter cyberattackers hacking into the social component is to train employees to identify and report red flags. Some methods used by attackers such as an email from a CEO’s personal email address should immediately be flagged.
Cautious cybersecurity measures
Cybersecurity firms will of course tell you the worst horror stories in the industry to sell their products. One of the most tragic ones was a reported case of a ransomware attack in September 2020 on the Duesseldorf University Hospital in Germany. Due to the attack, a woman was redirected to another healthcare facility around 20 miles away. But the ensuing delay in life-saving treatment led to her demise.
This was widely reported as the first reported death caused directly by a cyberattack. The story could serve as an incentive to invest heavily in pricey cybersecurity tools.
However, a few months later, an investigation found that she had died due to her poor health, which had been “entirely independent from the cyberattack.” As such, we have to take these threats and attacks with a pinch of salt.
Nevertheless, German law enforcement and many cybersecurity experts believe that it’s only a matter of time before a cyberattack causes such an actual demise of a patient. “There is a moral line that every person, just as a human being, recognises exists—when you do something knowing that you are potentially impacting somebody’s life you’ve crossed the line,” Mandiant’s Charles Carmakal said. “So there’s a very clear crossing of the line by this threat actor. This group is incredibly brazen, heartless, relentless.”
As such, cyberthreats in healthcare cannot be overlooked. And to protect our medical facilities and patients, both the social and technological components of this issue must be adequately reinforced. The average patient should demand more security over their data, and the medical staff and management should take these demands seriously and familiarise themselves with cybercrime methods in order to better counter them.
At The Medical Futurist, we are building a community for making a bold vision about the future of healthcare reality today.
Dr. Bertalan Mesko, PhD, the Director of The Medical Futurist Institute, launched The Medical Futurist to help individuals, companies, and governments understand how digital health technologies bring healthcare into the 21st century.
“Digital health technologies empower patients to become proactive in their life; empower medical professionals to do their job being supported by advanced technologies, and companies and policymakers to make better decisions about their future.” – Dr. Bertalan Meskó
To support this transformation, Dr. Meskó and The Medical Futurist team is working relentlessly analyzing the latest trends in digital health and bringing insights to the 800,000+ readers and followers of our publications, along these principles:
For 2021, we commit to another year of high-impact reporting that helps people navigate the jungle of digital health and to see where it is heading. With no shareholders or billionaire owners, we set our own agenda and provide unbiased insights that are free from commercial and political influence.
If you’d like to support this mission, we invite you to join The Medical Futurist Patreon Community. A community of empowered patients, future-oriented healthcare professionals, concerned health policymakers, sensible health tech developers, and enthusiastic medical students. If there were ever a time to join us, it is now. Every contribution, however big or small, powers our research and sustains our future.
Click here to support The Medical Futurist from as little as $3 – it only takes a minute. Thank you.
The post How Do They Hack Hospitals? – Cyberthreats In The Digital Health Era appeared first on The Medical Futurist.