Nick Huber
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
An increase in cyber attacks on the healthcare sector is jeopardising patient safety, and prompting some governments to publish new cyber security standards.
Publicly disclosed global cyber security breaches between January and September last year showed that the healthcare sector suffered more attacks (241) than any other sector, ahead of government (147), and information technology including software, hardware and IT services (91), according to research by Omdia, a technology research provider.
The most common type of cyber breach in healthcare was hacking, followed by supply chain attacks, “phishing” (where cyber criminals pose as legitimate organisations to trick people into disclosing passwords and payment details), and “ransomware”, in which hackers use malicious software — “malware” — to encrypt data until the victim pays a ransom to unlock it.
“The healthcare sector is such a tempting target [for cyber security criminals] because . . . you can put lives at risk,” says James Lewis, a cyber security expert at the Center for Strategic and International Studies, a US think-tank.
The UK’s National Health Service has been hit by significant ransomware attacks. In 2017, the “WannaCry” attack is estimated to have cost the NHS £92mn and caused the cancellation of 19,000 patient appointments. Another hacking, in 2022, took down the non-emergency 111 service, and disrupted management systems for mental health services and emergency prescriptions.
Recommended
Cyber attacks on hospitals in Germany and the US have also disabled their systems — forcing them to reschedule some procedures and temporarily divert patients to other facilities until the systems were brought back online.
And, in another case, in Finland, the confidential records of thousands of psychotherapy patients were hacked and leaked online — with others blackmailed to keep the data private, according to reports in the national media.
“Almost every hospital CEO I speak to . . . now [says] that cyber risk is their number one or number two enterprise risk issue,” says John Riggi, national adviser for cyber security and risk at the American Hospital Association (AHA), which represents hospitals and healthcare networks. “It’s one of the main issues that keep them up at night.”
Technology is making cyber crime easier to commit. Tools and services are available on the dark web, so cyber criminals do not necessarily require sophisticated technical skills.
Even as healthcare organisations become better at protecting themselves from one type of attack, such as ransomware — by restoring locked data from backups, for example — cyber criminals switch tactics.
Almost every hospital CEO I speak to . . . now [says] that cyber risk is their number one or number two enterprise risk issue
Industry specialists report that some criminals now steal, rather than encrypt, highly sensitive medical data and threaten to publish it on the dark web, unless the healthcare provider or patient pays a ransom using a cryptocurrency.
“Ransomware operators have become smarter,” says Elia Zaitsev, chief technology officer at cyber security supplier CrowdStrike. “In many ways, the extortion model is actually simpler for them from a technical perspective.”
Old healthcare IT systems also make the process easier for criminals.
In many NHS organisations, legacy systems can account for between 30 and 50 per cent of all IT services, says Josh Chandler, chief digital information officer at Bedfordshire Hospitals NHS Foundation Trust in eastern England.
Some of these old systems may have been designed more than 20 years ago and may not have been upgraded for more than 10 years, he adds. “[The IT systems] haven’t stayed up to date with technological advancements [while security] threats have increased around them.”
Annual audits of an organisation’s cyber security and a “zero trust” approach (assume any user or device may be a risk until proven otherwise) can mitigate threats to old and new healthcare IT systems, experts say.
So can widely used antivirus software, which protects computers and laptops from malware, ransomware and other information security threats, as well as “intrusion detection” software, which spots potential suspicious activity in hospital computer networks — for example, attempts to steal clinicians’ passwords or approve fake invoices.
In addition, a new type of cyber security software — “extended detection and response” or “XDR” — can give organisations an overview of multiple security threats. It gathers data from IT applications, networks, hardware and email traffic, and sometimes uses artificial intelligence to monitor threats in real time.
There is also specialist security software to protect hospital hardware: medical devices, including heart monitors, life support machines, and infusion pumps. It will play an even more vital role as the number of internet-connected medical devices rises from 503mn in 2021 to 760mn by 2026, based on forecasts from research company IDC.
“If you think about a hospital bed . . . it’s basically a computer acting as a bed,” says Katell Thielemann, a cyber security expert at research company Gartner. “For a long . . . time patient safety was sort of built in to the medical device manufacturing lifecycle, but [cyber] security was almost an afterthought.”
Although medical devices are not thought to be commonly hacked, the US Government Accountability Office, a spending watchdog, warned last year that security vulnerabilities within devices were a risk to hospital networks and patients.
Recommended
Politicians appear to be taking notice. Last year, the US and UK governments announced strategies for strengthening cyber security in healthcare.
The UK’s plan — which applies to England, but stresses the need to “work collaboratively” with the devolved administrations in Scotland, Wales and Northern Ireland — includes identifying parts of the healthcare system where a cyber attack would cause the most harm to patients, and “embedding security” into emerging technology.
The strategy of the US Department of Health and Human Services includes minimum standards for hospital cyber security — with bigger fines for non-compliance — and government funding to help the sector improve security.
The AHA says it is keen to work with the US government to raise standards but adds that software suppliers must take action, too. “We need our technology providers to provide us with better secured technologies,” says Riggi.
That — combined with adopting international standards for healthcare cyber security, and putting more cyber criminals in prison — may help the sector mitigate numerous threats, experts say. But it will probably remain a prime target for cyber criminals, they warn.
“The threats will evolve as attackers deploy new tactics, and the [defences] will evolve as cyber security tools mature,” says Gartner’s Thielemann. “It’s . . . a cat-and-mouse game.”
International Edition