Cyberattacks are a genuine concern in all industries, but the nature of health care and medical care centers brings some unique variables. As public awareness of cyberattacks on hospitals and other healthcare providers grows, medical professionals, business leaders, and policymakers face increasingly challenging questions about the impact and possible responses.
It is important to remember that while cyberattacks on hospitals and other care providers are increasingly the focus of media attention, the rate and severity of such attacks have increased for some time. A survey of the available data from 2022 indicates as much and reveals some troubling global data:
- Global volume of cyberattacks reached an all-time high in Q4 with an average of 1168 weekly attacks per organization
- Top 3 most attacked industries in 2022 were Education/Research, Government, and Healthcare
- Africa experienced the highest volume of attacks with 1875 weekly attacks per organization, followed by APAC (Asia-Pacific region) with 1691 weekly attacks per organization
- North America (+52%), Latin America (+29%), and Europe (+26%) showed the most significant increases in cyberattacks in 2022 compared to 2021
- The US saw a 57% increase in overall cyberattacks in 2022, UK saw a 77% increase, and Singapore – a 26% increase
- The healthcare industry saw a 74% increase in cyberattacks year over year, the most of any sector included in this research.
Taken in aggregate, this information raises some valid concerns about cyberattacks on healthcare providers, which recent events have emerged. Furthermore, ongoing real-world experiences reveal how cyberattacks can impact entire communities more broadly.
Scripps Medical Center Ransomware Attack
In the spring of 2021, the Scripps Medical Center in San Diego was the victim of a ransomware attack. The massive attack paralyzed the facility, which usually sees over 700,000 patients annually. Patient information was compromised–leading to a series of lawsuits over the next few years. The disruption in emergency services was more immediately necessary. With critical care patients diverted elsewhere, nearby hospitals were quickly flooded with patients. As one NPR report noted, this led to some interesting language being used by experts when discussing the incident:
The attack had a blast radius. In conversations, experts kept using that term, one that’s usually reserved for bombs, but it fits. Scripps struggled to get back online for the next month. It was all over national and local news.
The Scripps case may serve as an example-in-point: cyberattacks on healthcare facilities disrupt not just that facility but entire healthcare systems and community emergency response. We can see similar patterns in cyberattacks nationwide: Tallahassee, Idaho Falls, and Spring Valley, Il, for instance. The additional and unexpected strain creates a ripple effect that may last for weeks or months and affect not only emergency rooms and critical care but first responders, routine care, and patient privacy.
There are also business effects to consider: St Margaret’s, the target hospital in the 2021 Spring Valley, Il attack, closed permanently earlier this month. More recently, an April 22, 2023 cyberattack on a Murfreesboro, TN, hospital created financial chaos and forced a hopefully temporary closure. The take-home for concerned parties is that a cyberware attack, ransomware or otherwise, can have lasting impacts on the target institution’s quality of care and its business future.
US Government Response
There are governmental pushes to provide additional safeguards for hospitals and health systems by improving cyber security capabilities and increasing overall resiliency. S.1560 (The Rural Hospital Cybersecurity Enhancement Act) is a recently introduced bill in the US Senate intended to “require the development of a comprehensive rural hospital cybersecurity workforce development strategy, and for other purposes.” The CDC and the FDA aim to implement and maintain cutting-edge safeguards against cyberattacks and develop their overall cybersecurity. For hospitals, healthcare providers, and related businesses, recommendations for preventative action include the following:
- Maintaining multiple offline, encrypted backups of vital data
- Regular testing and evaluating of both backups and restoration processes
- Conducting regular scans to identify and address vulnerabilities, especially those on internet-facing devices and systems
- Limiting attack surfaces, particularly on internet-facing devices and systems
- Frequent updating of software and operating systems
- Training your employees regarding phishing and other common IT attacks, including how to report and log such incidents
As with many healthcare and medicine issues, cybersecurity is an ongoing and evolving concern. Constant and consistent vigilance is the best approach to staying alert and avoiding potential problems.