Last week, I was reading various financial headlines to try to keep the stock market up to date, and came across a troubling headline: “Healthy Stocks are plunging due to cyber threats, fraud, and corporate profits are being damaged.”
The excerpt is as follows: “The day after Health Savings Account (HSA) custodians missed their profit estimates, 20% sunk on Wednesday, giving weak guidance to address the increased costs of criminal activity targeting the company.
“In the transcript of analyst call provided by Alphasense, CEO Scott Cutler explained, along with other financial companies, Healthequity has seen “an increase in cyber threats and fraud attacks from bad actors using sophisticated technology, techniques and methods.”
The broader cybertrends in healthcare
In fact, this story is just an example of the growing trend in cyberattacks on hospitals, healthcare facilities, and the enterprise as a whole.
The Hippa Journal published an article in January about the surprising trends in 2024 healthcare cyberattacks. This is an excerpt.
“Last year was Annus horrivis for healthcare data breaches. The number of data breaches reported in more than 500 records appears to have declined just a while ago, but the number of individuals affected by those violations has risen considerably.”
As explained in detail in the article, the biggest healthcare data breaches of 2024 include Change Healthcare, Kaiser Foundation Health Plan, Ascension Health, Health Equity, Concentra Health Services, and the Centers for Medicare and Medicaid Services.
In the last case, “The Centers for Medicare and Medicaid Services (CMS) reported 3,112,815 protected health information violations in September 2024.
The problem of life and death
But perhaps even more troublesome than data breaches that lead to economic losses is the health impact these cyberattacks have on people's lives. The United Nations recently published a report on the topic of “Healthcare Cyber Attacks: A Global Threat that Cannot Be Ignored.” Their story begins:
“Briefing Ambassador Tedros Adhanom Gebrees, Director, highlighted the serious impact of cyberattacks on hospitals and healthcare services, calling for urgent and collective global action to address this growing crisis.
“'Ransomware and other cyberattacks on hospitals and other healthcare facilities can be a matter of life and death, not just security and confidentiality,” he said.
“At best, these attacks cause confusion and economic losses. At worst, they undermine trust in the health system on which people rely, and even cause harm and death to patients.”
“The digital transformation of healthcare, coupled with the high value of health data, has made the sector a major target for cybercriminals. Tedros cited an example of a 2020 ransomware attack on BRNO University Hospital in the Czech Republic, and an example of an Irish Health Services Executive (HSE) violation in May 2021.
“Cyberattacks have expanded beyond hospitals to disrupt the broader biomedical supply chain.”
A similar report was written by Security Intelligence: “When Ransomware is Killed: Attacks on Healthcare Facilities.”
“Hospitals rely heavily on digital systems to manage patient care. When ransomware attacks occur, these systems go offline and often have tragic results. Research highlights risks. Since 2015, ransomware attacks have increased by 300%.
“A study from the University of California, San Diego shows that ransomware attacks on hospitals have ripple effects, meaning that nearby hospitals see a surge in patients, increasing cardiac arrest cases by 81%. Survival rates for these cardiac arrest cases also declined.
“In another study of two urban emergency departments adjacent to the institution under attack, the researchers noted a significant increase in the amount of patients, a longer patient left and an increase in the left without seeing an increase. These delays, according to the study, underscore the need for a disaster response approach to such incidents.
“In some cases, the tragic consequences of ransomware in healthcare have been documented in legal procedures. In 2020, a woman sued Alabama Hospital, claiming that ransomware attacks contributed to the death of her newborn daughter.”
Another sad example came from industrial cyber earlier this month. “Microsoft highlights the cybersecurity crisis at rural hospitals and encourages strengthened measures to strengthen health resilience.”
“Microsoft has released a new white paper that shares insights gained over the past year and focuses on the roles rural health and the roles that technology companies can play. It explores the current state of rural hospitals, the unique cybersecurity threats they face, and the roles that tech companies can play in addressing today's cyber risks.
“In the white paper, we observed that ransomware attacks pose a specific threat to hospitals. Hospitals are often targeted by both financially motivated cybercriminals and nation-state threat groups.” Hospitals often pay ransoms to avoid disruption in patient care, and malicious actors exploit this reality. Baseline following Covid-19. ”
And finally, for those who prefer to watch the video description, this PBS News Hour story on the topic tells the story of “how cyberattacks have crippled the US health system.”
What can you do to help the hospital?
An example of how hospitals are fighting back is to pool resources and work together to combat cyberattacks. The Michigan Healthcare Cybersecurity Council (MIHCC) is a group of Midwest Hospitals that work together to combat cybercrime. According to their website, hospitals together:
“Membership and Community Engagement – Through regular member activities across the state, we provide opportunities for collaboration and contribution to our colleagues.” As a group of information security practitioners in the health sector, we have valuable practices and experience to share all our experts. Partner Organizations and Working with our Partner Organizations – We aim to develop networks of networks through our sectors to find common causes and solutions. “It projects voices serving our healthcare community. This video/podcast provides details about what happens when a cyberattack occurs in a hospital or health system.
Here's a small excerpt from the video. “MHA has released a new episode of the cast of Myal Champions, exploring what will happen when they experience a cyberattack featuring Jack Coofar, Chief Information Security Officer at Michigan Medicine.
“In his role, Koofar is responsible for planning, developing, implementing and maintaining information assurance activities throughout the Academic Medical Center. While the Health System was not significantly affected by healthcare violations, Koofar shared valuable insights into how his team responds and improves cybersecurity measurements.”
“I think one of the most important things hospitals and healthcare providers can do is start establishing long-term (cybersecurity) frameworks so that improvements can be measured over time,” Kfar said.
Final Thoughts
Some readers may be wondering, “What is the government's impact from cyberattacks in the healthcare industry?”
One example of this comes from this article from the second half of last year. “HHS faces challenges as a lead agency in healthcare cybersecurity: GAO.” Here's a quick excerpt:
The Ministry of Health and Human Services is facing challenges to mitigate cybersecurity risks in the health sector, according to a report released Thursday by the Government Accountability Office. According to GAO, it effectively leads the industry in cybersecurity. This is a potential risk to providers and patient care. ”
