Cyberattacks on hospitals
Attacks on hospitals aim primarily at acquiring data. Most are ransomware-based. Lina Kolesnikova reports on the dangers and threats that healthcare institutions face
Ransomware is a type of malicious software that spreads across computer networks, encrypting (data) files and demanding payment for a key to decrypt them. Hackers seeking to deploy ransomware often wait until the weekend or public holidays, when a company is likely to have fewer technical staff members present. Image: everythingispossible/123rf
In September 2020, German authorities confirmed the death of a patient as a result of a hacker attack at a major hospital in Duesseldorf. The Duesseldorf University Clinic’s systems had been disrupted and investigators later found that the source of the problem was a hacker attack on a weak spot in “widely used commercial add-on software,” which they did not identify.
A woman who needed urgent admission died after having to be taken to another city for treatment. The hospital said that: “There was no concrete ransom demand.”
In recent years, we have witnessed a skyrocketing increase in cyberattacks on hospitals all around the world – a number of cases have been reported in the USA, UK, France, Germany, Russia, Czech Republic and more. This is worrying because hospitals, like many other modern organisations, rely increasingly upon information systems for a wide variety of administrative and clinical functions with constant activity.
Hackers can also blackmail patients directly if they have access to private information about their health condition. If medical services are paid for by a patient, additional information about their financial situation can be accessed, and this information can be used by criminals to select their targets and then blackmail them.
Equipment and diagnostics technologies used by medical institutions have highly computerised components. The whole network of devices, equipment and systems requires connections to external systems, but this critical and complex environment is difficult to control. Many healthcare providers do not pay sufficient attention to cyber risks and thus make themselves attractive targets for cybercrimes.
One of the most valuable assets that cybercriminals look for is clinical patient data, such as treatment plans and medical histories. Patient records that have been made inaccessible in a cyberattack could lead to potentially catastrophic consequences for the patient. The information contained in the records is also very private in nature and, if it was made public, healthcare organisations could face serious legal problems.
Hospitals often use old-fashioned IT systems and they rarely upgrade protection programs, which makes them an obvious target, even for novice hackers, and makes it easy for the attack itself to be carried out. It is unlikely that healthcare providers have high-level IT professionals on board and the reality is that hospitals’ management cannot always estimate the damage accurately when patients’ data are already on sale on the black market.
In the US, there is the Health Insurance Portability and Accountability Act of 1996 – a federal law requiring national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge – but there is no healthcare-specific regulation in Europe. For data privacy, general requirements of the GDPR apply.
Purely national approaches to security might lead to the development of different or incompatible standards and complex sets of security requirements, which could lead to fragmentation of the medical equipment and systems markets and, subsequently, cause an increase in the costs of modern medicine in many countries.
Unfortunately, the pandemic and increase in remote working contributed to increasing risks for hospitals. When working from home, employees could inadvertently ‘allow’ hackers to penetrate the internal perimeter of working environments, since remote access to systems is now widely used for legitimate use cases. Overall, most of the attacks start via spam mail services with phishing and via brute force attempts, such as password searches.
Needless to say, many hospitals pay the criminals to avoid scandals and law cases. But, by paying the ransom and hiding the truth they only encourage criminals to carry out further attacks.
Today’s targets include the WHO and international research laboratories, which work on Covid-19 and find themselves under a barrage of attacks.
Aside from the ‘regular’ cybercriminals, attacks on hospitals could be also perpetrated by terrorists. Their objective is not to blackmail victims – a crime for value – but rather to disrupt critical infrastructure and cause as many deaths as possible. Terrorists could combine physical attacks with cyberattacks to create chaos and disrupt emergency aid getting to victims.