Outbreak of Medical Cyberattacks on the Rise

 By Diane Tait

Image courtesy Pixabay

Being in the Information Age means always being in danger of having your web-enabled devices hacked, cracked, and cyber-attacked.  That's why I keep no less than three levels of cybersecurity on my laptop, tablet, and smartphone.  While that puts me head and shoulders above most mere mortals these days, I recently read a newsfeed that got me thinking that maybe there's another way for hackers to get me right where they want me.  You see, while my sense of cybersecurity is top-notch, it turns out that some of the doctors I see on a regular basis may not be cyber secure.  At least that's what a recent report from Brookings.org led me to believe.

It's not only big businesses that hacking collectives are targeting these days. Malware has spread faster than the Coronavirus to infect the healthcare industry just when we need it most.  Since 2017, when the WannaCry ransomware infected scores of hospitals worldwide and caused some emergency rooms to shut down and surgeries to be canceled, the incidence of healthcare hacking has grown by leaps and bounds.  2018 saw the Allscripts ransomware attacks disrupt hundreds of hospitals and clinics that were unable to view patient records or prescribe medication due to the breach.  Hospitals and healthcare organizations have seen a recent spate of ransomware attacks that not only crippled their ability to serve the public, it has actually led to several deaths when critical care equipment was compromised by hackers. 

How hackers can needle you when you need medical care the most.– If denial of service attacks and ransomware aren't bad enough, once a medical database has been compromised, the hackers are free to use or sell your information to the highest bidders.  Depending on how complete the medical records are, hackers can etail your data for anywhere from $10-$1,000 a pop.  Once in possession of your records, a hacker may also choose to redirect your prescriptions to their location or to have a trusted compatriot intercept your scrips at the pharmacy, which they then sell for hard currency.  Aside from selling patient records or stealing prescription medication, gaining access to medical records also gives hackers the leverage to perform identity theft, since many medical professionals ask patients to provide their social security numbers. 

Unfortunately, financial gain isn't the only result of hacked medical systems.  Modern hospitals, clinics, and healthcare providers rely heavily on technology that once compromised can cause as much harm as a mass casualty attack.  Everything from hospital computerized heating and electrical systems to medical devices and communications is vulnerable to hacking.  Once infected, the malware can spread from one system to the next or even one medical care facility to the next at broadband speeds.  So vulnerable is the nation's healthcare system to cyberattacks that the Federal Emergency Response Agency developed a list of best practices for healthcare facilities to use in the event they come under a cyberattack.   

Can hackers cost you your life? – You bet they can.  By August 2021, US hospitals in 963 locations reported interruptions caused by hackers.  This was up from 560 sites in all of 2020.  Not only were records held for ransom, in some cases ransomware was used to infect medical devices that were part of the critical care delivery system.  Everything from MRI scanners to digital IV pumps were found to be susceptible to hacking.  Both here and abroad, several deaths were attributed to compromised healthcare equipment.  What's even worse is that while it can take years to secure FDA approval, by the time new devices hit the market, some of them come with outdated software or operating systems that hackers have already cracked. 

In a May 2020 report issued by the Annals of Emergency Medicine titled Cyber Disaster Medicine, stated: "Modern health care systems are interconnected and interdependent technical systems and are composed of a myriad of different software, hardware, medical devices, and networking products. The interoperability, or the ability of these systems to communicate and work with one another was required under the Meaningful Use provision of the Health Information Technology for Economic and Clinical Health act passed by Congress in 2009. In 2017, the US Department of Health and Human Services released a congressionally mandated task force report stating that health care cybersecurity is in critical condition, leading many individuals to conclude that the ability to connect these systems has greatly outpaced the ability to secure them." 

Image courtesy Pixabay

Just what the doctor ordered? – Hardly, when you consider that since 2020, there has been an uptick of nearly 50% in the increased incidence of ransomware attacks that target healthcare practitioners.  This coincided with the onset of COVID-19, which meant that doctors were forced to deal with shoring up their cyber defenses at the same time they were overwhelmed with ill patients.  The incidence of online break-ins and disruptions grew to become so severe that some physicians decided to stop using their online resources only to go back to writing paper to transmit prescriptions to local pharmacies.

Even if all a hacker manages to do is keep healthcare professionals from accessing patient records, this can have dire results on treatment.  The problem is that while healthcare professionals are excellent at combating contagion, they are woefully unprepared for digital viruses that can disrupt healthcare delivery at every level.  A 2020 Cybersecurity survey by the Health Information & Management Systems Society pointed out that on average healthcare organizations only spend about 5% of their IT budget on cybersecurity.  The other 95%  is dedicated to acquiring new technology.  As a result, this policy tends to spread instead of stem online infection.  The report goes on to reveal that it takes the average healthcare facility 236 days to detect a system breach and another 73 days to mitigate the damage.   

What can you do to prevent a medical cyberattack from affecting you? While many patients feel there's nothing they can do to keep a third party from inadvertently revealing their medical, personal, and/or financial information, this isn't always the case.  While you have no control of how your healthcare providers defend their technology against intruders, you can help them keep your information private by refusing to divulge information like your social security number.  You can also have a discussion with your physicians and healthcare administrators to find out what they're doing to protect the information you provide them.  If you don't like what you hear, you can always choose to work with another provider in your network who is willing to address the concerns about patient information security.  

Diane Tait owns and operates A&B Insurance.  To find out more about how you can save money on insurance, go to her site or fill out the form at right.