In an era where technology seamlessly integrates with the fabric of healthcare, the importance of robust cybersecurity measures in hospitals cannot be overstated. As medical institutions increasingly rely on digital systems for patient care, record management, and communication, they become more vulnerable to the growing threats of cyberattacks. The consequences of a breach extend far beyond compromised data; they directly jeopardize patient safety, compromise confidential information, and can bring critical healthcare operations to a grinding halt.
Hospitals, as custodians of sensitive patient data and essential healthcare services, are prime targets for malicious actors seeking to exploit vulnerabilities in the digital landscape. From electronic health records to interconnected medical devices, the healthcare industry’s dependence on technology presents a unique set of challenges and risks. Consequently, it is imperative for hospitals to prioritize and invest in robust cybersecurity measures to safeguard not only their own operations but, more importantly, the well-being of the patients they serve.
This article explores the critical reasons why hospitals should take cybersecurity seriously, delving into the potential consequences of lax security, the evolving landscape of cyber threats in healthcare, and the measures hospitals can adopt to fortify their digital defenses. By understanding and addressing these challenges head-on, healthcare institutions can foster an environment of trust, ensure patient safety, and uphold the integrity of the healthcare system in an increasingly interconnected world.
A Case Study
In an article by CBSNews, they wrote, “A database containing information on 5.6 million patient visits to Bluewater Health and the social insurance numbers of as many as 1,446 Chatham-Kent Health Alliance employees are among the data taken in the ransomware attack on five southwestern Ontario hospitals, officials said in a lengthy update Monday.
The update — including specific information about what was stolen from each hospital — comes after some data was published by the hackers online.
“All hospitals have some degree of patient and employee information affected,” the hospitals said in a joint afternoon statement. “All of our hospitals are diligently investigating the stolen data to determine who is impacted.”
The cyberattack on Oct. 23 has led to a system outage involving patient records, email and more at Windsor Regional Hospital, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare, Bluewater Health, and Chatham-Kent Health Alliance. It has also delayed appointments for patients.
Neither the hospitals nor TransForm — the hospitals’ IT and payroll administration organization, which is at the center of the attack — have paid the ransom demanded by the attackers.
TransForm says anyone whose data has been compromised will be contacted directly.
According to the joint statement from the hospitals, attackers were able to steal data from a shared file server that included patient data of “varied amounts and sensitivity.”
“The stolen data is in many formats, some of which are easier to analyze,” officials said in their statement.
Also targeted was a Bluewater Health patient database report.
Not stolen in the attack are databases related to employee payroll, accounts payable, electronic health record information at hospitals other than Bluewater Health, and donor information.
The hospitals called the information released Monday “an initial update on what is known to date,” saying that analysis is still ongoing.
Hospitals summarize the known extent of the breaches:
- Bluewater Health in Sarnia: The stolen database report includes information on 5.6 million visits made by 267,000 unique patients. The hospital says it is still determining the specific individuals included in the report, and it did not include clinical documentation records. Employee and staff SIN and banking information was not taken.
- Chatham-Kent Health Alliance: An employee database that contained information about 1,446 employees working at the hospital as of Feb. 2, 2021, was taken. That information includes names, SINs, addresses, and rates of pay, among other basic personal information. But, the database did not include professional staff or volunteers. No banking information was stolen. The CKHA’s electronic health record was not affected, but a shared drive did contain some patient information still being analyzed by the hospital.
- Erie Shoes HealthCare in Leamington:A “limited set” of stolen data includes 352 current and past employee social insurance numbers (SIN). The hospital says its entire workforce was not affected, so impacted employees will be notified directly. No banking information was stolen.
- Windsor Regional Hospital:Officials say a limited portion of a shared drive used by staff, some patients were identified, either by name only or with a brief summary of their medical conditions. The information does not include any patient charts or electronic medical records. Information pertaining to some employees, like staff schedules, was affected, but WRH believes no SINs or banking information was taken.
- Hôtel-Dieu Grace Healthcare in Windsor:The breached shared drive included some patient information the hospital is still analyzing. Some employee information was stolen, but the hospital says that does not include SINs or banking information.
The hospitals are all offering free credit monitoring to their employees and professional staff. Past employees whose information may have been affected, like at CKHA, can sign up in person at the hospital or will receive a letter with instructions.
The hospitals said they anticipate an update on the restoration of systems in the coming days, and they have reported findings to the Ontario Information and Privacy Commissioner.
“We condemn the actions of cybercriminals, in the healthcare sector and elsewhere, in our communities and around the world,” officials said. “We understand the concern this incident has raised within our communities, including patients and our employees and professional staff, and we deeply apologize.”
The update from the hospitals comes after another bunch of sensitive patient data was released onto the dark web by the cybercriminal group that has claimed responsibility for the attack, according to the author of a site that tracks data breaches.
This is the third round of data that has been published after the five hospitals agreed not to pay a ransom.
The first round of data, which included scans of patient information like records and claims, was published on Nov. 1. The second round of data, published on Friday, included COVID-19 vaccine records, including names and, in some cases, their reactions to vaccines.
This third round of data, according to DataBreaches.net— a blog that covers cyberattacks — was released on Sunday. According to Dissent, the third round of data includes some personnel information, sensitive patient information, and IT-related data.
They say this involves discharge data on patients between 2013 and 2015, as well as survey responses, patient complaints, and internal hospital reviews that have been done.
Dissent writes that their description of what data was leaked is “intended to remind the public what can happen when threat actors can gain access to a network and why entities need to really evaluate whether they have adequate security for sensitive files.”
How CyberAttacks on Hospitals Can Impact Their Patients
In excerpts from an article by ABC News, they wrote, “Jes Kraus was supposed to be going to the University of Vermont Medical Center every day for aggressive radiation and chemotherapy treatments to fight stage three colorectal cancer, for which he was diagnosed in September 2020.
But at the end of October 2022, the hospital called to tell him not to come in for his appointments until further notice. The medical center had just been hit by a cyberattack, which infected computer systems across the state and locked out healthcare workers from his treatment plan and other critical tools.
“Radiation was canceled for a week,” Kara Kraus, Jes’s wife, told ABC News. “We were afraid. We weren’t sure if that would affect the outcome. Again, the tumor, would it start growing back within that week? What was going to happen?”
The Kraus family’s experience is an increasingly common one, research shows. Hospitals have become a top target for ransomware gangs, which take control of vulnerable online networks and demand a ransom to unlock them, severely disrupting patient care in the process.
Healthcare systems are often underprepared to stop these attacks, cybersecurity experts said, even though research shows they come with very real health risks for patients.
“These are direct threats to patient safety,” John Riggi, national advisor for cybersecurity and risk at the American Hospital Association, told ABC News.
When ransomware attacks hit hospitals, internet-based tools critical to patient care, which can include patient health records, imaging and lab results, communication links with other departments and hospitals, and more, are suddenly frozen.
When UVM Medical Center’s computers went down, the impact on patient care was “significant,” hospital President and COO Dr. Stephen Leffler, who was seeing patients as electronic communications went down, said.
“When the laboratory had a critical lab result on someone, they couldn’t put it in the electronic medical record,” he told ABC News. “They couldn’t call the floor. And so we literally had our administrators start going in the lab, standing there, and running a paper result to the floors.”
“Everything that we do and rely on was down,” he said. “We actually sent some staff to Best Buy to buy Walkie-Talkies!”
The attack disrupted UVM systems for 28 days, costing more than $50 million in damage.
For years, discussion of cyberattacks at hospitals has focused on threats to privacy. Hacks could expose personal information about patients and subject hospitals to fines under the Health Insurance Portability and Accountability Act, or HIPAA. But experts now say privacy concerns are increasingly overshadowed by potential harm to patients when a medical facility is forced to delay treatments and divert ambulances.
“This is not just a patient privacy issue,” Josh Corman, a leading expert on cybersecurity and health care, told ABC News. “This is a patient safety issue.”
Using data from the state of Vermont during the UVM ransomware attack, Corman and colleagues found that hospitals experiencing a ransomware attack hit a stress level linked to more patient deaths. The findings were published by the U.S. Cybersecurity and Infrastructure Security Agency.
And cyberattacks don’t just affect an individual hospital hit with the ransomware.
Newly published research in the journal JAMA Network Open documents a ripple effect that can impact health care and the patient experience across an entire region.
The study looked at the fallout from a single ransomware attack on a single San Diego hospital in 2021. It found that emergency rooms at adjacent hospitals had more ambulances arrive and, saw more patients than normal, and had longer wait times for all patients seeking care. The number of situations where a patient left without being seen by a doctor rose by 127%.
“Patients don’t stop getting sick just because a hospital is hit by a ransomware attack,” Dr. Christian Dameff, lead author of the study and emergency physician at the University of California, San Diego, told ABC News. “They have to go somewhere. So what this research shows is that those patients go to neighboring hospitals that can be overwhelmed.”
Dameff calls it the blast radius. “It truly affects the entire community,” he said.
The U.S. Department of Health and Human Services concluded in an April report that cyberattacks are the single “largest threat” to America’s hospitals, deserving “immediate attention” because of the “threat to life.”
Most hospitals still aren’t adequately prepared to prevent and respond to the threat, experts say. Bigger hospitals generally have the resources to invest in cybersecurity, but smaller ones don’t — particularly after the financial strain of the pandemic. Nearly all hospitals surveyed in the HHS report said they use software with “known vulnerabilities;” only half said they had a plan to address those shortcomings.
“We’re not yet in a place where we can reliably say the hospital your family depends upon in most of America is, at a minimum, cyber hygiene-level sufficient to fend off preventable attacks,” Corman says.
It’ll take investment and more federal regulation to fill those gaps, Corman said. There’s some movement: the U.S. Food and Drug Administration now requires that medical devices meet cybersecurity standards, and members of Congress are considering introducing legislation that would set mandatory cybersecurity minimums for hospitals.
There also needs to be more cybersecurity and preparedness education for healthcare workers, Dameff said, so that doctors and nurses are prepared for a situation when their networks do go down, and they’re not able to rely on digital tools.
“It can happen to you – even when you think it’s impossible,” said Leffler of his message to other hospital administrators.
Raising awareness and encouraging action around healthcare cybersecurity has been difficult, Dameff said. People in the field worry that talking about it will discourage patients from trusting healthcare institutions, for example, he said.
But, more and more leaders in health care are starting to recognize the issue. “These attacks are becoming so frequent and so sophisticated. Hospital defenses aren’t nearly up to snuff to prevent these types of things from happening,” Dameff said.
Hospitals are, instead, left scrambling when an attack hits. That’s what happened with Jes Kraus’s care at UVM. Luckily, his oncologist was able to get his radiation treatments moved to another hospital, and his cancer is currently in remission. Still, it was stressful to figure out and coordinate a new way to get care.
“In the grand scheme of things, it’s easy to look at it now and say, okay, yeah, it was a week delay [in treatments], and it didn’t really impact [my prognosis], but I hope that it’s been a lesson learned to hospitals,” Kraus said.
Why Hospitals Are Being Targeted by Cyberattacks
In an article by NewsWTTW, they wrote, “Hacking is a growing concern for hospitals and health institutions.
Cyberattacks on hospitals and health systems more than doubled from 2016 to 2021, according to a JAMA report.
More recently, 2,000 Lurie Children’s Surgical Foundation patients saw their social security numbers leaked to a still-unknown party, along with their names, dates of birth, and addresses.
“People at least presume that there’s a lot of money in hospitals. … It’s an easy target,” said Robert Wagner, chief information security officer with ISSA’s Chicago chapter and co-founder of Hak4Kidz. “Right now, hospitals have been focused mostly on patient safety, not cyber security, so when it comes to systems like these, they haven’t even really thought of themselves as being a target for attacks.”
But realistically, from a criminal’s point of view, he said, hospitals are the most likely to pay — and they’ll pay fast.
“They’ve got lives on the line,” Wagner said. “No hospital wants to put their patients’ safety at risk, so they’re going to be more likely to pay it than a financial institution.”
In a 2022 report, the FBI called health care the No. 1 critical infrastructure attack target in the country.
“What they’re looking for is patient data, and that can be social security numbers, financial information, patient health records as well,” said Patrick Dolan, security software specialist at LRS IT Solutions. “Really anything that can be used for either setting up some sort of hack and hopefully having a hospital pay a ransom of whatever amount it may be, or using that information and selling it on the dark web.”
There have been some scenarios when an attack shut down hospital systems. A baby in 2019 died because the staff wasn’t able to monitor the health vitals of that baby during birth.
To prevent these attacks, Dolan said it’s important to have the basics of cybersecurity down.
“That can include things like having an up-to-date incident response plan, understanding within the organization who has access to your data and what they’re using it for, understanding where that sensitive data is, and doing things around protecting endpoints as well,” Dolan said.
Conclusion
The recent surge in cyberattacks on healthcare institutions underscores the pressing need for hospitals to prioritize and fortify their cybersecurity measures. The case study of a ransomware attack on multiple southwestern Ontario hospitals vividly illustrates the profound consequences of such breaches, ranging from compromised patient data to disruptions in critical healthcare services. The incident not only exposed the vulnerabilities within the hospitals’ digital infrastructure but also served as a stark reminder of the potential threats that can undermine patient safety and overall healthcare operations.
The impact of cyberattacks on hospitals extends beyond the compromised security of sensitive information; it directly affects patient care. The case of Jes Kraus, whose cancer treatment was disrupted due to a cyberattack on the University of Vermont Medical Center, underscores the real and immediate threat these incidents pose to individuals’ health and well-being. Ransomware attacks, in particular, freeze essential online tools critical to patient care, leading to delays in treatments, compromised patient records, and increased stress levels for both healthcare providers and patients.
Research indicates that the consequences of cyberattacks on hospitals reverberate throughout the community, affecting adjacent healthcare facilities and overwhelming emergency services. The interconnected nature of healthcare systems means that disruptions in one institution can lead to cascading effects on patient care region-wide. The ripple effect of a single ransomware attack on a San Diego hospital resulted in increased ambulance arrivals, longer wait times, and a surge in patients seeking care at neighboring hospitals, emphasizing the broader community impact.
The urgency of addressing cybersecurity in healthcare is further emphasized by the alarming increase in cyberattacks on hospitals. The healthcare sector has become a prime target for malicious actors due to the perceived financial incentives and the critical nature of patient data. The FBI has identified healthcare as the No. 1 critical infrastructure attack target in the country, with cybercriminals seeking valuable patient information, social security numbers, and financial data. Hospitals, traditionally focused on patient safety rather than cybersecurity, must recognize the evolving threat landscape and take proactive measures to safeguard not only their data but, more importantly, the lives and well-being of the patients they serve.
As hospitals grapple with the escalating frequency and sophistication of cyber threats, a comprehensive and proactive approach to cybersecurity becomes paramount. Investment in robust cybersecurity measures, education and training for healthcare staff, and adherence to cybersecurity best practices are critical steps toward building a resilient defense against cyber threats. Moreover, collaboration within the healthcare industry, sharing insights and best practices, is essential to create a united front against cyber adversaries.
In conclusion, the imperative for hospitals to take cybersecurity seriously is not just a matter of protecting data; it is a fundamental commitment to preserving patient safety, maintaining trust in healthcare institutions, and upholding the integrity of the healthcare system as a whole.
At Adaptive Office Solutions, cybersecurity is our specialty. We keep cybercrimes at bay by using analysis, forensics, and reverse engineering to prevent malware attempts and patch vulnerability issues. By making an investment in multilayered cybersecurity, you can leverage our expertise to boost your defenses, mitigate risks, and protect your data with next-gen IT security solutions.
Every device connecting to the internet poses a cyber security threat, including that innocent-looking smartwatch you’re wearing. Adaptive’s wide range of experience and certifications fills the gaps in your business’s IT infrastructure and dramatically increases the effectiveness of your cybersecurity posture.
Using our proactive cybersecurity management, cutting-edge network security tools, and comprehensive business IT solutions, you can lower your costs through systems that are running at their prime, creating greater efficiency and preventing data loss and costly downtime. With Adaptive Office Solutions by your side, we’ll help you navigate the complexities of cybersecurity so you can achieve business success without worrying about online threats.
To schedule a Cyber Security Risk Review, call the Adaptive Office Solutions’ hotline at 506-624-9480 or email us at helpdesk@adaptiveoffice.ca