Introduction
It’s been recently reported that over half of medical devices have critical security vulnerabilities. (Cynerio, Jan 19, 2022) Healthcare organizations are an easy target for cyberattacks due to their weak defenses, and something must be done about it for the safety of the public.
Why is this a big issue?
Hackers are becoming increasingly successful in breaching healthcare organizations’ data and this problem has been running rampant for the past few years. These data breaches have huge consequences for everyone.
For example, Maryland’s department of health was hit with a devastating ransomware attack, which gave hospitals a difficult time, especially due to the higher hospitalization rates due to COVID-19. One major consequence of this data breach was that the department couldn’t release their case numbers over the course of a few weeks, hindering their ability to take well-informed action in response to COVID-19 and to notify other states of their case numbers (ZDNet, Jan 12, 2022).
Recent research reveals that ransomware attacks are posing serious threats to healthcare consumers, including increased mortality rates and complications in treatment that often increase recovery time or yield incomplete recoveries.
Some examples of hospital equipment that are especially vulnerable to attacks are:
- IV pumps, 73% of which possess a serious vulnerability that can threaten patient safety, leak confidential data, or limit the accessibility of the pump itself in the case that is targeted in an attack (Cynerio, Jan 19, 2022).
- Any devices using versions older than Windows 10, which make up the majority of the devices in a multitude of healthcare departments. This presents potential danger to patients connected to any of these devices (Cynerio, Jan 19, 2022).
How is this issue being addressed, and what are the challenges in doing so?
According to an article by Cynerio on January 19, 2022, the use of network segmentation is sufficient to prevent over 90% of the security dangers associated with medical devices in hospitals, and is the most effective method in doing so. However, this article does not mention the logistics of such an implementation in terms of time or money.
Another strategy for improving the security of data in hospitals is to have up-to-date software. The old software that is still in use in many healthcare organizations presents a significant variety of shortcomings in regards to protecting against cyberattacks. This could be improved upon by these organizations by updating to more recent and higher quality software. This proves to be a strikingly difficult challenge, however, as investing in an area such as this does not produce revenue for the organization.
Further, any attempt made by healthcare organizations to predict the cost-effectiveness of upgrading software appears to be a fruitless effort, as technology has been evolving far too rapidly for there to be any significant historical evidence to inform such a decision.
Yet another struggle for hospitals is the lack of individuals with expertise in the field of cybersecurity working in healthcare. For example, only 21% of hospitals had a dedicated security executive in 2019, yet only 6% were identified to be a Chief Information Security Officer. There is a significant rush for hospitals to hire cybersecurity professionals, which is leading to such high demand that cybersecurity companies are providing hospitals with a growing array of services (Black Book Research, Nov 4, 2019).
Due to this lack of knowledge, healthcare organizations remain unaware of which solutions exist, let alone have the knowledge necessary to know which ones are best suited for them. An additional result of this is that hospitals are unable to put in their due diligence for testing their cybersecurity systems, thus causing them to deal with attacks retroactively rather than proactively.
What does the future of cybersecurity in healthcare look like?
Over the past few years, healthcare organizations have become increasingly aware of the dangers associated with cyberattacks, so it is becoming increasingly common for them to set concrete goals in terms of cybersecurity (Black Book Research, Nov 4, 2019). This will allow them to attain measurable results and assess their ability to protect themselves against cyberattacks. The vast majority of healthcare organizations predict a foreseeable increase in cyberattacks against them in the future, thus giving them a good reason to improve upon their existing systems. Alas, we can only hope that in the future, healthcare organizations will choose to pay more attention to the security of their data so they are better enabled to save more lives.
Key Takeaways
Healthcare organizations have been a very common target for cyberattacks in recent years, and this danger’s presence is only projected to increase in the coming years. This happens for a multitude of reasons, most of which lie in the inability of healthcare organizations to address such issues and a lack of experience with attacks of this nature in the ever-evolving digital landscape. Hopefully, they will be able to find effective security solutions in the coming years as the attacks inevitably continue.
References
- https://www.zdnet.com/article/more-than-half-of-medical-devices-have-critical-vulnerabilities/
- https://www.cynerio.com/blog/cynerio-research-finds-critical-medical-device-risks-continue-to-threaten-hospital-security-and-patient-safety
- https://www.zdnet.com/article/maryland-officials-confirm-ransomware-attack-shut-down-department-of-health/
- https://blackbookmarketresearch.newswire.com/news/healthcare-data-breaches-costs-industry-4-billion-by-years-end-2020-21027640
- https://www.businesswire.com/news/home/20210922005436/en/New-Ponemon-Institute-Research-Shows-Ransomware-Attacks-on-Healthcare-Delivery-Organizations-Can-Lead-to-Increased-Mortality-Rate
I have definitely heard of this issue before, and it’s very disheartening. I would imagine that a place that saves lives and improves people’s quality of life would make sure their security (both physical and digital) would be rock solid and up-to-date, but evidently that doesn’t seem to be the case. Although it is great to hear healthcare organizations are starting to put cyber security first.
My question is though, is this the same everywhere in the world? I feel like a lot of these stories of cyber attacks on healthcare organizations come from the US, although I could be completely mistaken. Do places in Europe or here in Canada get frequent attacks? I’d be super interesting to see a comparison. Excellent (and super important) topic and post!
thanks for the comment! Yeah, it definitely would be interesting to see how much this would apply to healthcare in other areas, especially since I’m assuming most of us are in Canada. Unfortunately I didn’t think about its relevance to us until I started doing it. But that’s okay, it was still an interesting topic to write about!
Wow, super interesting post! It’s a little disappointing to hear that our hospitals do not have proper cybersecurity software. That is because 1 hack could indeed literally mean life or death for patients…a little scary to think about. Happy to hear that healthcare organizations are taking this issue seriously and are working towards decreasing the number of attacks on hospitals.
Yes, the consequences seem to be quite significant that it’s surprising that things like this are happening. It seems like many things could use an upgrade in security, so hopefully that issue surfaces as more public knowledge so that more can be done about it.
Hi Raine,
This was a good read! As somebody that works in healthcare here in Alberta, I can say that there is indeed a lack of emphasis in terms of cybersecurity. From what I have seen, the best they can come up with is having users change their passwords every few months. One problem I can see in healthcare is the demographic of the workers, as a lot of the people I work with are more progressed in life and already used to the past, and possibly less secure, systems. Additionally, it is not uncommon to see passwords for lab machinery just out in the open for others. I can imagine maintenance workers walking by and being able to access them no problem. If this trend continues, I can definitely see cyberattacks becoming more and more common in the healthcare industry. I definitely agree with you on the point that we need to find more effective security solutions.
That is so true. I think better security practices need to be taught to the general public. It’s such a new issue that I can see why it hasn’t been properly dealt with yet, and there’s definitely a need for an upgrade.
Great post!
I always thought hackers would not attack hospitals’ systems because they should have morals. After I read your blog, I have realized that I was wrong. My grandfather(my mother’s father) is a doctor who works in a hospital in my home city. Last year, when I lived in my home city, we had talked about the operating systems in hospital equipment. He told me it was very hard to update the operating system in hospital equipment because this kind of equipment is very professional. So, I agree with you, the hospitals should pay more attention to cybersecurity.
Yes, it’s quite unfortunate that people would take advantage of situations like this. It definitely appears to be that hospitals and many other types of organizations don’t put enough emphasis into cybersecurity because I think it would greatly benefit them in the long run to put in the money required to stay relatively up-to-date.
This post is very well put together!
If the numbers from Cynerio are accurate, then it’s insane that almost 3/4 IV pumps are vulnerable to attacks. If protecting patients isn’t a worthwhile investment for hospitals, I don’t know what is. To think that these healthcare organizations have to consider whether updating their networks & software is worth the money seems absurd, since it could cost much more than just money should they be targeted.
Thanks for the comment! That’s very true sadly, hospitals do need to step up their game with that. I think that it’s sadly due to a lack of awareness of the issue, causing them not to know the danger of their poor security practices. I do think that it’s slowly gaining traction in public knowledge, so hopefully that awareness will be gained sooner rather than later.
Crazy to think that hospitals are this vulnerable. With so many devices prone to failure if hacked into, a hacker that has control over the machines connected to hospital patients could surely lead to a hostage situation if the hacker so desired. You mentioned that IV pumps and machines operating below widows 10 were susceptible, so has a situation like this already occurred? Or is it mostly just an attack for the hospitals data?
Thanks for your comment! It is quite sad to see how vulnerable hospitals are in this regard. And yes, ransomware is used all the time to compromise functionality of a machine, and it costs hospitals a large sum of money to get their machines back by paying the attacker however much they request for it.
It’s really unfortunate to see not only how vulnerable hospitals are to cyber security attacks, but also the fact that hackers are targeting attacks on a place that saves lives. It’s great to see how hospitals are starting to take cybersecurity a little more seriously.
One question I’m interested in hearing about is how are these hospitals getting hacked? Also, what about other industries? Healthcare organizations probably aren’t the only organizations that have weak cybersecurity practices. Are there any other industries (idk maybe public transit or something) that may be similar? Thanks for the amazing post!
Thanks for your thoughtful comment! It seems that hospitals have a lot of data to steal, making them a profitable target for attackers. Considering that this is primarily about hospitals in the US which are a private healthcare system, I think the main reason they have poor security practices is that they are more concerned with turning a profit, but somehow also don’t take into account for the money lost in attacks. That’s just speculation though, and it’s just what I came up with. I don’t really know whether poor cybersecurity practices would be a more significant issue in public or private sectors, but my best guess would be that private sectors would be the last to invest money into good security. That’s quite a challenging question to answer, and very interesting to think about!
Great post! Following up with Caitlin’s comment, I’d also be curious to know how often these hospitals IV pumps are being attacked? It truly sucks how hackers are attacking hospitals, especially during a pandemic…. It really makes me wonder what these people gain from harming healthcare organizations that are only trying to help the public. Due to the large number of equipment present in a hospital, I’d assume a cost-effective solution is pretty difficult to execute, but I really hope healthcare organizations can figure something out!
Thanks for the comment! Unfortunately it’s happening far more often than it should. I completely agree with you that it’s a shame hospitals are being attacked, seeing as that’s where the most vulnerable people are. I think the solution to this would be to have a greater presence of people knowledgeable about security, working in the healthcare sector. The shortage of these people is definitely one of the main reasons why hospitals are so susceptible to attacks, so hopefully there will be more of these people in the future.
Interesting post! It seems that many parts of the healthcare industry tend to delay updating their infrastructure, even when vendor support for their systems has ended. I remember hearing about a lot of hospitals being victimized during the Wannacry ransomware attack, with the National Health Service (NHS) in the UK being one of the hardest-hit. It seems that a lot of critical systems were still running Windows XP and Windows Server 2003. By that point, neither of those operating systems had been patched against the EternalBlue exploit, since they were both considered out-of-support by that point. It was only after the damage had been done that Microsoft decided (without any obligation) to issue emergency updates to both operating systems.
Thanks for your comment! It’s quite crazy to think that hospitals had to rely upon Microsoft updating software they had already ended support for. It’s very unfortunate that old software is used all the time, making it so easy to breach its cybersecurity systems. I sure hope hospitals will be able to proactively deal with these attacks, but it surely is complicated to update everything. It’s a huge cost, but it just needs to be paid in order to keep everyone safe.
This is very shocking that hospitals are lacking the infrastructure to protect themselves from cyber attacks. Morally it seems wrong to target a location that works on saving individuals lives. It may require a larger investment to work in protecting from these cyber attacks instead of continuously paying these hackers out. In the long term the investment would be worth it in my opinion.
I fully agree with you, it’s quite ridiculous that this is the case. Playing the long term would be much more effective, but I think that it’s still such a new issue that the foresight required for that just isn’t there yet.
This post surprised me that the medical equipment in the hospital has such a serious safety hazard. Through your article, I realized that the main reason why hospitals have security risks is that they lack awareness of network security and do not spend time on software and technical personnel. Therefore, the hospital is very passive to the hacker’s network attack. I totally agree with your idea. The hospital should pay attention to the safety of the network. Hospital executives should improve updating soft systems and strengthen passwords, and hire professional security technicians to protect hospital security.
Thanks for your comment! It’s sad to see that nothing much is being done about it and that hackers can easily slip through the weak defenses. Hopefully hospitals will soon begin to realize the importance of defending their data.
This is a very good post. It’s hard for me to imagine a situation where the family of a patient has just been scammed after paying a huge amount of money for treatment. It honestly blows my mind that an institution like a hospital doesn’t take cyber security seriously. First of all for institutions like hospitals and banks, they themselves know a lot more about people. And for such institutions, most people will upload their personal information with trust. Personally, I think it is impossible that these institutions have not considered the importance of cybersecurity, but I am disappointed by the delay in change.
Thank you for your thoughts! It’s definitely quite unfortunate that hospitals are slow to change their approach to cybersecurity. I don’t really know what it would take for hospitals to take action on this issue faster, but whatever is needed is definitely missing. Though I did mention a lack of cybersecurity professionals in healthcare, it seems like hospitals would ideally be quite easily be made aware of the issues without needing a staff member to advise them of the issues.
Thank you for sharing this topic. I have noticed that some hospitals are using very old OS versions. may be for doctors, the computer in the hospital only needs to be able to type, upload and download cases. However, the personal information on the case is even more complete than that on the ID card, and there is even personal physical condition information.
Thanks for sharing your thoughts! Hospitals have much more information than they should be letting slip out of their control. I suppose it’s simply a lack of knowledge about a rapidly developing issue and the hesitance to invest effectively in defending themselves that hospitals simply end up failing to respond appropriately.
The fact that hospitals lack the means to protect themselves against cyber threats is frightening. Targeting a facility that works to save people’s lives feels very bad to me. Rather than paying hackers on a regular basis, it may be necessary to make a greater expenditure to safeguard against cyber assaults. This is one of the disheartening posts that I have read. I know hospitals are some of those places which we have to rely on in our society and hacking their database is so bad. I still know there are countries where hospital charges a lot of money like the U.S. and even Canada (if you don’t have a health card) and I wish they put little money into protecting their systems from these kinds of cyberattacks. Nice post though!
This kind of attack could definitely give “ransom”-ware a whole new kind of meaning, especially if it could be directed at certain targets. I know for sure the last time I would want something being hacked is if it was my IV or other life support systems keeping me alive during surgery, or illness. It’s good that steps are being taken to further cybersecurity inside of hospitals and the healthcare setting, as they contain our most vulnerable people as well as a large store of important and private medical information. Not only this, but having to bleed money out to hackers would reduce the funding available to save lives and provide good healthcare, so it is important on multiple levels to have adept cybersecurity in a healthcare setting. Thanks for sharing!
Great Post! Health care data breaches are a growing threat to the health care industry, causing not only data loss and monetary theft but also attacks on medical devices and infrastructure. The health care industry has lagged behind other industries in protecting its main stakeholder.
My girlfriend works at the hospital and one time at her work I got a chance to see the computers as well as the login screens and oh my goodness just from the UI you can tell it was made decades ago and simply go for basic functionality. I wondered if a basic inspect element might be enough to see the inner workings of the website.