Key Takeaways
- The healthcare sector faces unique and severe cybersecurity threats that can lead to prolonged care disruptions, patient diversions, and delayed medical procedures.
- Healthcare systems are particularly vulnerable due to outdated legacy systems, a wide range of connected medical devices (IoMT), and the extensive use of personal devices without adequate security.
- To combat these challenges, the future of healthcare cybersecurity is leaning towards advanced technologies such as artificial intelligence and machine learning for real-time threat detection and blockchain for securing patient data.
As technology has rapidly transformed our entire world, perhaps no other vital industry has gone through a massive technological overhaul like the healthcare sector. Over the years, the integration of advanced technologies such as electronic health records (EHRs), telehealth services, and connected medical devices has increasingly optimized healthcare in the United States, leading to improvements in patient care and operational efficiency.
Examples Of Successful HealthTech Integration
EHRs have become the cornerstone of modern healthcare. EHRs provide a comprehensive digital version of a patient’s medical history, accessible across different healthcare settings. This digital repository includes patient demographics, medical history, medications, immunization dates, allergies, lab results, and radiology images. The implementation of EHRs has led to improved accuracy in patient records, reduced physical paperwork, and better coordination of care among healthcare providers.
Furthermore, telemedicine and telehealth technologies have revolutionized how patients receive care, particularly during the COVID-19 pandemic. These technologies enable remote consultations, allowing patients to connect with healthcare providers from the comfort of their homes. Telemedicine has expanded access to healthcare, especially in rural and underserved areas, reduced or eliminated travel time and costs for patients, and facilitated ongoing care for chronic conditions.
However, nothing is without its costs, and cybersecurity has become one of the main issues in healthcare technology. Adopting healthcare technology is a complex process that demands careful planning and significant implementation time. As a result, healthcare organizations are vulnerable to modern threats because they have struggled to keep pace with evolving security challenges. Due to the nature of patient records and the reliance on technological systems to maintain them, cyber-attacks on hospitals and healthcare providers have become a regular phenomenon.
Cybersecurity Threats In Healthcare
Cyber threats come in various forms, including malware, ransomware, phishing, and data breaches. These attacks can have devastating consequences, compromising patient safety, causing financial losses, and damaging the reputations of healthcare organizations.
Since 2021, primary intrusions causing disruption and damage have increased by 50% across all sectors and industries. Ransomware has emerged as the most significant threat to healthcare, requiring urgent attention, particularly due to the critical impact service unavailability can have on patient care and safety.
According to a strategy report by the U.S. Department of Health and Human Services (HHS), healthcare facilities are attractive targets in light of their size, technological dependence, sensitive data, and unique vulnerability to disruptions. HHS tracks significant data breaches through its Office for Civil Rights (OCR), and the same strategy report shows a 93% increase from 2018 to 2022 (369 to 712), with a 278% increase in those involving ransomware, specifically, in that same time period.
Figure 1 illustrates a comparison of the various sectors that have been affected by cyber incidents in 2023.
The Impact Of Cyber Incidents
Cyber incidents in hospitals and health systems have resulted in prolonged care disruptions due to multi-week outages. Examples include:
- Forced patient diversions to other facilities and place significant strain on acute care capacity
- Canceled medical appointments
- Unprovided services or treatments
- Delayed procedures, particularly elective ones.
More critically, these disruptions jeopardize patient safety and affect local communities that rely on essential services such as emergency departments, radiology units, and cancer centers for life-saving care.
Politico reports that mortality rates increased at a quarter of the facilities following a ransomware attack. In 2020, a ransomware attack forced a hospital in Düsseldorf, Germany, to close its emergency department, and a patient died in an ambulance while being rerouted to another hospital. In another 2020 incident, a woman sued an Alabama hospital after the death of her newborn baby, alleging that doctors failed to carry out critical pre-birth testing due to a cyberattack on the hospital, which meant the baby was born with the cord around its neck. This led to brain damage and — a few months later — the baby’s death, she argued.
Healthcare’s Vulnerabilities
Beyond the typical attack vectors faced by all enterprises, healthcare organizations contend with various unique challenges. These include a wide range of connected medical devices (Internet of Medical Things, IoMT), the use of personal devices that may lack sufficient security measures, and numerous third parties accessing sensitive patient data and critical assets within hospital settings. Additionally, the rise of remote work and virtual doctor visits spurred by COVID-19, along with the hastily implemented but not always adequately secured IT infrastructure, has created even more opportunities for cyber attackers.
Moreover, according to an article by CyberArk, the value of personal healthcare information (PHI) to threat actors is high. The richness of personal information within these records allows for its use in identity theft, healthcare insurance fraud, and other malicious activities. Therefore, each medical record can fetch hundreds of dollars on the black market — a lot more than a stolen credit card number, for example. This provides ample motivation for a thriving criminal enterprise that viciously targets those who have no means to defend themselves while irrevocably weakening the healthcare institutions that serve these patients.
Areas of Potential Improvement
To combat these weaknesses, it is essential to understand the underlying systemic failures that allow these attacks to occur in the first place. According to the Hospital Cyber Resilience Initiative analysis survey:
- 89% of the hospitals conduct regular vulnerability scanning at least every quarter; however, they also showed that their use of advanced forms of testing such as penetration, red team, purple team, and tabletop exercises was 20% or lower.
- 70% of hospitals are conducting vulnerability scans against websites exposed to the internet, yet only 53% have a documented plan for addressing identified vulnerabilities.
- Over 90% of hospitals are adopting multi-factor authentication (MFA), with 84% of MFA used for virtual private networks (VPNs) and 88% used to protect emails.
- 86% of the hospitals inform and train staff on their cybersecurity-related duties and responsibilities. However, data suggests considerable variability in the training provided, and little evidence was available to illustrate the adequacy of the training.
Disparities also exist within different tiers of hospitals. Large, well-funded hospitals are generally more prone to investing in cybersecurity measures, but struggling rural clinics rarely have the means or technical resources to protect themselves against hackers. The hospitals that participated in the HCRI study instruments were able to quantitatively determine their current set of cybersecurity capabilities. In conversations with smaller hospital cybersecurity professionals (not participating in the survey), it was noted that knowledge of resiliency coverage was limited, with a minimal ability to stay current on threats, and that slim to negative financial margins inhibited cybersecurity investments. Variation in investment was witnessed even among larger-sized hospitals reporting mature cybersecurity controls, where the range of investment spanned a ~166% difference, from the lowest normalized cybersecurity investment of 0.07% to the highest of 0.75% of revenue.
The Direct Impact On Patient Care
As these attacks have unfolded more frequently in recent years, the United States has experienced several large healthcare cyber breaches.
A Recent Example: Change Healthcare
On February 21, 2024, an attack was detected by Change Healthcare, a Nashville, TN-based provider of healthcare billing and data systems. UnitedHealth Group owns Change Healthcare and Optum, the healthcare provider. Change Healthcare provides prescription processing services through Optum, serving over 67,000 U.S. pharmacies and 129 million patients. Change Healthcare handles more than 15 billion healthcare transactions annually and says its clinical connectivity solutions touch one in three patient records in the United States. Tricare, the U.S. military’s healthcare provider, also uses Change Healthcare.
The disruption caused by the Change Healthcare cyberattack affected all military and retail pharmacies, clinics, and hospitals in its nationwide network, leading to delays in processing prescriptions and the inability to send orders through insurance plans.
In the immediate aftermath, the company scrambled to reinstate lost services and keep up with an already overloaded patient system. Although the week succeeding the attack was disastrous for all the medical care providers reliant on the company, the true extent of the damage has only recently come to light.
UnitedHealth Group’s (UHG) update on the total cost of the downstream effects of the Change healthcare attack is now predicted to be between $2.3 billion and $2.45 billion this year, exceeding the $1 billion previously reported.
Most of Change Healthcare’s systems have been restored and are fully operational. UHG has so far provided more than $9 billion in advanced funding and interest-free loans to help providers who have been unable to bill for their services due to the disruption.
However, survey results from the AMA (American Medical Association) demonstrate that the economic harm to practices and patient-care impact is ongoing, and the threat to the viability of physician practices across the country continues.
According to the survey, 60% of physicians continue to face challenges verifying patient eligibility, 75% face barriers with claim submission, 79% cannot receive electronic remittance advice, and 85% continue to experience disruptions in claim payments.
This new survey builds upon the previous survey results released on April 10, that indicated service disruptions from the cyberattack have led to severe consequences for physician practices: 80% have lost revenue from unpaid claims and have committed extra staffing/resources for revenue cycle tasks; 78% have lost revenue from claims that they couldn’t submit. It is also important to note that restricted functionality since the cyberattack has resulted in 36% of respondents reporting suspension in claim payment, with 32% unable to submit claims and 22% unable to verify eligibility for benefits. Practices of 10 or fewer physicians appear to be particularly hard hit.
This attack is one of many that have threatened the entire digital healthcare ecosystem. There have also been new reports of various healthcare systems suffering cybersecurity breaches, such as Ascension, Eskenazi Health, and Capital Health.
Future Trends In Cybersecurity
As the healthcare sector embraces digital transformation, it must also focus on protections to meet emerging cybersecurity challenges. One significant trend is the increasing use of artificial intelligence (AI) and machine learning to enhance threat detection and response. These technologies can analyze vast amounts of data in real time, identifying patterns and anomalies that may indicate a cyber attack.
Additionally, blockchain technology is gaining traction for its potential to secure patient data through decentralized and immutable records. The rise of personalized cybersecurity measures tailored to specific healthcare environments and individual user behaviors is also anticipated, improving the overall security posture.
Furthermore, integrating advanced encryption techniques and zero-trust architecture is expected to fortify defenses against unauthorized access. As telehealth and remote patient monitoring continue to grow, developing secure communication channels and robust remote access protocols will be critical.
These advancements, coupled with ongoing cybersecurity education and awareness programs for healthcare staff, will play a pivotal role in safeguarding healthcare systems against future cyber threats.
Rida Zaneb
Rida is currently pursuing her B.A. in Mathematics and English at Kenyon College. She is deeply interested in the intersection between technological innovation and human connection.