Cyberattacks on Hospitals: A Growing Threat
Recent cyberattacks on hospitals underscore the very serious security threats that all healthcare organizations face today. Incidents affecting Lurie Children’s Hospital and Ardent Health Services, as well as the electronic clearinghouse Change Healthcare, have shown how attacks can expose patient records, cost organizations millions of dollars, and severely disrupt patient care.
As these attacks increase in frequency, many hospitals need to step up their cybersecurity efforts. They will need to rethink their current strategies and invest in new tools that can help prevent incidents and minimize damage. At the same time, government entities, technology companies, and insurers could play important roles in reducing the impact of attacks.
Why Cyberattacks on Healthcare Are Likely to Increase
Hospitals are very attractive targets for cybercriminals. The patient data that hospitals generate and store contains a wealth of personal information that hackers can sell, including not only names of patients and family members, but also addresses, social security numbers, and credit card numbers. Attackers know that holding this patient data hostage and disrupting hospital services will create a crisis that could drive institutions to pay ransoms quickly.
Meanwhile, the healthcare sector lags in their cybersecurity preparedness compared with other industries. Cybercriminals are more likely to attack a hospital, which has high-value assets and less advanced security, than a financial services business, which might be better protected.
Read the Blog: Why Hospitals Have Become a Prime Target for Ransomware
The Rising Threat of Ransomware Attacks
Ransomware attacks have become a common form of attack on hospitals. They have also become more sophisticated and difficult to stop. Cybercriminals are getting better at conducting phishing schemes, taking advantage of software vulnerabilities, and exploiting human errors to gain access to networks. They are also tapping into Ransomware-as-a-Service solutions that allow them to launch attacks without having to create their own malware. And they are amplifying pressure to pay ransom by adding multiple threats to each attack, for example, by threatening to sell patient data or attack partner organizations.
Hospitals are responding by boosting their cybersecurity budgets. According to one report, healthcare organizations, more generally, spend about 7% of their total budget today on cybersecurity—an increase from the past. They are implementing new preventative measures, backing up critical data and systems, working to patch software faster, and investing in training for IT and security staff, as well as for employees. But many hospitals are still forced to pay ransoms so they can quickly regain access to critical systems and patient data—and cybercriminals are well aware of this tendency.
Read the Blog: The Healthcare Ransomware Crisis - How to Bolster Defenses and Reduce Risk
The Impact of Cyberattacks on Hospital Operations
A cyberattack can have a significant, immediate effect on a hospital’s ability to provide patient services. Staff members might be locked out of key systems, or the organization’s IT team might decide to shut down applications in an effort to prevent the spread of malware. In the attack on Lurie Children’s Hospital in early 2024, the organization turned off internet-connected systems—including phones, email, and electronic health record (EHR) systems. The result was a severe disruption to communications and operations.
Some hospitals might need to turn patients away during a cyberattack. During an attack in 2023, Ardent Health Services diverted ambulances and emergency room patients away from some of its hospitals. The organization also rescheduled some elective patient procedures.
Depending on the severity of the attack, it can take weeks or months for a hospital to recover. For example, it took more than a month for Lurie Children’s Hospital to bring its Epic MyChart patient portal back online.
These disruptions can endanger patient health and safety. If patients are unable to go to a nearby hospital for emergency care, forced to delay procedures, or unable to communicate with doctors, they can face serious health consequences.
The Financial Costs of Cyberattacks on Healthcare
The costs of a single cyberattack can be enormous. According to IBM, the average cost of a breach for a healthcare organization is nearly $11 million.
If your hospital is struck with a ransomware attack, you might first be forced to pay the ransom, which alone could cost millions of dollars. You will then need to cover the expense of recovering data and restoring systems. With the help of forensic specialists (whom you will need to hire), you will have to determine how the attack succeeded and then, over the longer term, implement additional security measures.
You will also face the costs of addressing the attack’s impact on patients. For example, you will need to notify all patients whose records were exposed and pay for credit monitoring services. You could face lawsuits if any patients were harmed as a result of the attack. You could also face fines for violations of HIPAA (the Health Insurance Portability and Accountability Act of 1996) or other regulations.
Moreover, you could lose revenue during the attack if you need to cancel procedures or turn away patients. If patient trust declines or you suffer damage to the hospital’s reputation, you could continue to lose revenue in the months and years to come.
Securing Medical Devices and Equipment
To prevent future attacks, hospitals need a multi-layered strategy. Your organization might have to further limit access to medical records, apply more data encryption, and institute multi-factor authentication while also expanding data backup and strengthening disaster recovery.
Many hospitals should also enhance protection for medical devices and equipment. These technologies are often connected to core systems. If they are running outdated software, they could become vulnerable and enable attackers to access your entire network. In addition to updating software, you might need to update your security protocols so you can isolate devices to limit exposure in the event of an attack.
Read the Blog: The Nine Biggest Cybersecurity Threats for Healthcare
Training Healthcare Workers on Cybersecurity
Employee education should be a central component of your cybersecurity strategy. Employees need to understand the serious potential risks facing hospitals and learn how they can help protect their organizations.
For example, as long as phishing continues to be a primary technique for stealing credentials and gaining access to hospital IT environments, employees must learn how to identify and report suspicious emails and texts. They should also understand the vital importance of following proper protocols for generating passwords and accessing systems to avoid inadvertently creating additional vulnerabilities. To help ensure these messages are received, hospitals should consider incorporating cybersecurity training into employee onboarding and ongoing professional development.
Government Responses to Hospital Cyberattacks
The federal government could help hospitals prepare for attacks, accelerate remediation, and reduce financial losses. After the attack on UnitedHealth Group’s Change Healthcare electronic clearinghouse in early 2024, the U.S. Department of Health and Human Services (HHS) condemned the attack and helped coordinate the response from multiple federal agencies.
Still, hospitals and other healthcare organizations have asked the government to do more. For example, in the wake of the Change Healthcare attack, the American Medical Association (AMA) and American Hospital Association (AHA) urged the government to provide advanced payments to providers, who were otherwise unable to receive payments from insurers. Hospitals asked Congress to loosen statutory constraints that might restrict the flow of funds and to modify regulations that could streamline payment from payers.
The government could also provide necessary funding to upgrade legacy IT systems. That funding would be welcomed not only by large health systems but also by smaller and more rural organizations, which might have limited resources for additional cybersecurity measures.
Improving Healthcare Cybersecurity Standards
Government bodies could also press for improved cybersecurity standards. In fact, one recent bill introduced in the U.S. Senate would enable hospitals and other providers to receive accelerated payments in the event of a cybersecurity attack—as long as those providers meet minimum cybersecurity standards.
Meanwhile, government agencies and industry organizations could tighten policies on cybersecurity and increase enforcement of regulations. For example, they could mandate more frequent security audits and require greater accountability for cybersecurity preparedness. Healthcare organizations and technology companies could also work together to make it easier to implement AI and other emerging technologies to detect attacks before they do serious damage.
Read the Blog: Ransomware Recovery and Resilience for Epic EHR
The Role of Cyber Insurance for Hospitals
Cyber insurance can play a key role in helping hospitals offset the potentially devastating financial costs of attacks. Policies can cover a wide array of expenses, including costs related to:
- Ransom payments
- Identification and correction of security flaws
- Data restoration
- Patient notification and credit monitoring services
- Regulatory fines
- Attorney and court fees
- Legal settlements
Still, as the number and severity of attacks increase, premiums have been rising sharply. Small independent hospitals and those in rural settings might find it difficult to afford comprehensive coverage for attacks.
Preparing for Future Threats
As long as attackers see hospitals as potentially lucrative targets, hospitals will need to devote significant resources to cybersecurity. They need ways to safeguard patient data and prevent service disruptions that can cause patients harm. In many cases, hospitals will benefit from working with outside experts, who can help develop a strategy to maximize cybersecurity protection while adhering to stringent healthcare regulations.
How Cloudticity Can Help
Cloudticity is a managed security services provider exclusively for healthcare. We've been managing health data in the cloud since 2011 and we've never had a breach. We have the tooling, monitoring, manpower, and expertise to identify attacks quickly, respond, and stop attacks before they penetrate systems.
To learn more download the free eBook, The Nine Biggest Healthcare Cybersecurity Threats and How to Beat Them.
Or learn how Cloudticity can help your organization better defend against cybersecurity threats. Check out our Security Services for Healthcare or contact us for a free consultation today.