The Impact of the Recent Hospital Cyberattacks
The attack on UnitedHealth Group’s Change Healthcare electronic clearinghouse in early 2024 demonstrates the widespread damage that cybercrimes can cause for healthcare operations and patient care. In the case of Change, a ransomware attack cut the link between medical providers and insurance companies, leaving hospitals, pharmacies, and other healthcare organizations unable to transmit patient claims and receive payment for their services.
Numerous hospitals across the country were affected. According to the American Hospital Association, 74% percent of hospitals surveyed in March 2024 reported a direct impact on patient care because of the incident while 94% reported a financial impact.
The attack—which was one of the worst the US healthcare industry has experienced—also had a tangible impact on patients. Many faced delays for testing and critical medical procedures. Others were left unable to receive needed discounts for medications.
The ransomware attack on Lurie Children’s Hospital in Chicago just a month earlier illustrates the effects of ransomware attacks that target hospitals directly. The organization had to temporarily shut down internet-connected systems—including phones, email, and electronic health record (EHR) systems, which disrupted communication with patients and forced staff to resort to manual processes.
Following the Change Healthcare and Lurie Children’s Hospital attacks, patients and providers remain concerned that patient data and other information may have been compromised. If so, attackers could sell that information, enabling others to conduct additional crimes.
How Attacks Occur and Spread
Ransomware attacks can begin in a number of ways. Hackers might gain access to an organization’s IT environment by exploiting a vulnerability in a misconfigured system, conducting a network intrusion, or using a password for an enterprise app stolen through a simple phishing scheme.
Once inside an organization’s network, an attacker can spread malware rapidly throughout that organization and beyond—infecting partners as well. Unless organizations and their partners have segmented their systems, attackers and their malware can move laterally to mission-critical systems. They can then lock organizations out of their own systems and demand ransoms. Hackers reportedly demanded $3.4 million from Lurie Children’s; Change Healthcare might have paid $22 million, though neither organization has confirmed making ransom payments.
Immediate Response and Damage Control
As soon as a breach is detected, hospitals typically implement emergency procedures to sustain critical operations. IT teams might bring the network offline to prevent further damage. Hospital staff might transition to paper records and analog systems so they can continue to provide care, and maintain records, until systems are back up and running. Some services might be curtailed: When Ardent Health Services was attacked in late 2023, the organization diverted ambulances and emergency room patients away from some of its hospitals, and rescheduled some elective patient procedures.
Behind the scenes, IT and security teams will likely first shut down infected or breached systems to contain damage before working to recover data and restore system functionality. In the case of the Change Healthcare attack, many hospitals and other providers switched to alternative clearinghouses so they could continue to submit claims for payment.
Long-Term Effects on Hospital Finances and Care
Even as short-term issues are resolved, hospitals can still face serious long-term effects after a cyberattack. The impact of any lost billings and revenue they experienced during their system downtime could be felt for several quarters. Meanwhile, hospitals might need to spend substantial sums to restore data, recover systems, and then subsequently upgrade security systems. They might also need to pay regulatory fines to the government and address legal liabilities related to the exposure of patient data.
These unanticipated expenditures can ultimately affect patient care. Hospitals might need to scale back future investments in services or technologies that could have benefited patients.
At the same time, a breach can seriously undermine public trust in a hospital or health system’s ability to protect patient data. An organization might lose revenue if patients choose other facilities.
Improving Healthcare Cybersecurity
Ransomware attacks against healthcare organizations are on the rise. According to one analysis, direct attacks on hospitals rose 84% in 2023 over the previous year. Each attack can affect multiple organizations.
How can your organization address growing threats? Many will need to partner with cybersecurity experts and invest in modern security tools. Continuous monitoring is essential: You need to detect and address threats before they cause damage. In addition, robust access controls are key for preventing attackers from accessing networks even if they’ve stolen an employee’s credentials. Proper network segmentation, meanwhile, can help prevent malware from spreading within a network.
Because attacks can begin with vendors and other partners, you might require those organizations to adhere to a robust risk management framework. Requiring partners to achieve HITRUST certification, for example, can help ensure that they have strong security controls in place.
Protecting Patient Data
A hospital’s cybersecurity strategy must focus on protecting patient data—the most valuable asset to cyber criminals. You should strictly limit access to medical records. Encryption can further protect exposure of information even if systems are breached.
You also need tools to rapidly detect and shut down unauthorized access to information. Multi-factor authentication, for example, can help stop unauthorized access even if attackers have acquired a system password. If a breach is successful, you will need ways to remediate damage quickly.
Educating Healthcare Staff
One of the most effective strategies for avoiding breaches is educating your organization’s employees about security risks and teaching simple, preventive measures. For example, phishing remains a primary way that attackers gain access to enterprise systems. Your employees should know how to identify phishing attempts and how to report them to your IT or security teams. At the same time, promoting the use of secure, unique passwords for apps can help prevent attackers from accessing those apps with user credentials they’ve gleaned from other breaches.
Employees must also follow proper protocols for data access. Your security efforts will be effective only if employees follow the processes you’ve put in place.
Coordinating Disclosure and Communications
Hospitals and other healthcare organizations continue to be among the most frequent targets for cyber attackers—and some attacks will succeed. Your organization should have a plan in place to notify patients and the public in a timely manner after incidents occur. Your notification should include clear messaging about what actions you have taken and will take to protect sensitive data. Transparency about your investigation and next steps—plus an offer to provide identity protection to patients for a time—could reduce negative publicity and help to rebuild trust.
Learning from the Attacks
There are lessons to be learned from all attacks, whether or not they are successful. You should conduct a thorough post-mortem analysis, determining what happened and identifying any security gaps. Once you’ve pinpointed new vulnerabilities, you can start exploring strategies and tools for enhancing your defenses.
Preparing for Future Threats
Hospitals and other healthcare providers will continue to be frequent targets for cyber criminals for the foreseeable future. Though the incidents you experience might not be as disastrous as recent, highly publicized breaches, any attack can have a significant impact on your operations and your ability to provide quality care.
To stay ahead of attackers, your organization must continuously audit, test, and evaluate your security controls. At the same time, you should research emerging attack methods and identify potential vulnerabilities. And because attacks are nearly inevitable, building and maintaining a comprehensive incident response plan is crucial: The faster you address and recover from an attack, the faster you can return to serving patients.
Working with Cloudticity can help you optimize preparation for future threats. To learn more about our ransomware solution, reach out for a free consultation today.