Rise in Cyber Attacks on Healthcare Institutions Increases Patient Mortality
Earlier this month, a ransomware attack against Duesseldorf University Hospital directly led to the death of a patient when the hospital was forced to reroute emergency patients to another facility 20 miles away. This may be the first time a cyber attack can be directly linked to the death of a patient, but indirect harm to patients has been well documented.
Healthcare is the most-attacked industry in the world, suffering 45% of all cybersecurity breaches in 2019. Healthcare organizations are an attractive target for attackers because of the sensitive patient information they hold (ePHI, social security numbers, credit cards, etc.), and because their IT systems are critical to patient care, they create opportunities for extortion.
Attacks since January 2020 have risen by 300% against the healthcare sector, but until now, most of the concerns surrounding breaches against healthcare have revolved around data breaches and securing patient information. But MEDJACK (hijacks of medical devices), ransomware, and DoS (Denial of Service) attacks can disrupt the function of devices, deny access to patient records, and slow down a hospital to the point where patients must be turned away or transferred.
The Data: Connecting Cyber Threats to Critical Patient Care
A 2019 study from Vanderbilt University investigated the connection between healthcare breaches and patient mortality rates at more than 3,000 US hospitals. 10% of those hospitals experienced a data breach. The study found that:
- Hospitals hit by a data breach or ransomware attack saw an increase in the death rate among cardiac patients—23–36 additional deaths per 10,000 heart attacks—in the following months or years
- Hospitals that experienced a breach took an additional 1.7 minutes on average to deliver an electrocardiogram for suspected heart attack patients
- Remediation with standard IT security tools was more detrimental to patients than actual breaches: Remediation actions caused changes to devices that further delayed or disrupted patient care
While there is no similar study for the UK, the WannaCry attack in 2017 proved how damaging cyber attacks could be to patient care. WannaCry was a ransomware attack that targeted a variety of industries, including healthcare, which exploited a vulnerability in the Windows MSB communication protocol to spread at an unprecedented rate.
UK hospitals suffered the greatest impact with 81 hospitals losing critical computer systems. Medical treatments were disrupted with the shutdown of critical equipment like MRI machines, and 19,000 appointments were cancelled.
More recently, the University Hospital Center (CHU) of Rouen in northern France was hit by a ransomware attack that forced it to revert to pen and paper. Similarly, Samaritan Medical Center in Watertown, NY suffered a ransomware attack that forced it to shut its computer system down for three weeks this summer and return to paper records. During the attacks, both hospitals were forced to postpone medical services, including drug delivery, appointment scheduling, and radiation therapy.
As the footprint of vulnerable healthcare IoT devices grows across the globe, it is clear that hospitals can’t arm themselves fast enough against the rising threat of cyber attacks. If healthcare-specific security isn’t taken seriously, the cost to hospitals and patients' lives could be immeasurable.
The Heart of the Healthcare IoT Problem
Healthcare IoT devices today are connected to local networks or even the public Internet. US hospitals currently average 10–15 connected medical devices per bed, and large hospitals can have as many as 150,000 connected medical devices, not counting vulnerable Enterprise IoT devices and connected OT systems like HVACs.
Every connected device increases the attack surface of the clinical ecosystem, but medical devices are inherently vulnerable to cyber threats and can act as an entry point into a healthcare IT network. The vast majority were not built with security in mind, their code never underwent security review, they may have weak or nonexistent authentication, and they often run unsupported or unpatched operating systems.
On top of that, these devices are highly attractive to attacks due to the ease of penetration, their high value to the organization or the patients who use them, and the sensitive medical data they store.
What Can Be Done to Protect Devices and Patients?
While healthcare IoT devices may be healthcare’s weakest link, protecting them is a major challenge. Large facilities may have tens to hundreds of thousands of connected devices, with devices frequently added and replaced, and no central visibility into which devices exist and how vulnerable they are.
Connected medical devices are highly sensitive, and even a standard network scan can disrupt clinical operations. Security teams may be unable to install software updates, security patches, or antivirus software without a technician from the device vendor, as self-service may invalidate warranties. Further, self-service on devices may cause malfunctions.
Traditional security approaches used to protect IT assets are largely ineffective when it comes to healthcare IoT devices and may do more harm than good.
So, what can be done to protect devices?
Successful Solutions Secure Clinical IT Networks and Ensure Uninterrupted Services
Effective healthcare IoT cybersecurity solutions provide hospitals with full visibility into device inventory, medical context, and help IT security teams with:
- Automated and real-time device discovery, classification, and location tracking
- Risk assessments and recall tracking to identify vulnerable devices and immediately pinpoint devices with compromised functionality or security
- Device-level security, if possible, by applying security patches and updates, best-practice configuration, or segmentation policies
- Limiting the overall attack surface by segmenting groups of devices on the network and allowing connections only to specific devices necessary for clinical operations
- Establishing monitoring and incident management procedures that enable security teams to detect and respond to breaches when they occur
To learn more about how to build a safe and effective cybersecurity policy for your clinical ecosystem, contact us.