The first known fatality resulting from a cyberattack was reported in September 2020. Ransomware hit a hospital in Düsseldorf, Germany, crashed its systems and forced it to turn away emergency patients. As a result, a woman with a life-threatening condition was sent to a hospital 20 miles away and died from treatment delays.
While this incident is an anomaly, healthcare cyber-attacks are increasing in size and frequency, and reveals how much disorder and chaos an attack can create.
In late October, the FBI, Department of Homeland Security, and Cybersecurity and Infrastructure Security Agency (CISA) issued a joint cybersecurity advisory warning of impending malware attacks against the U.S. healthcare system designed to lock up and ransom hospital information systems and data. The group behind the attacks was demanding more than $10 million ransom from each target, and more than 400 hospitals and medical facilities had been targeted.
Healthcare is the most exposed industry to cyber-attacks. Healthcare data breaches and ransomware attacks in 2019 cost the industry over $4 billion (Black Book Market Research, 2020), and the industry accounted for 4 out of 10 data breaches. According to IBM, the average cost of a healthcare data breach in 2020 was $7.13 million, and of the 17 industries surveyed annually, healthcare has ranked first in average cost for the past 5 years. What’s even more frightening is the average time to identify and contain a breach in healthcare is a staggering 329 days. (IBM, Cost of a Data Breach Report 2020)
“The average time to identify and contain a breach in healthcare is 329 days.”
The healthcare industry is a frequent target for ransomware attacks for several reasons: 1) stolen medical data is extremely valuable to cybercriminals; 2) there are many medical devices in healthcare facilities, and most rely on legacy software platforms which makes them an easy entry point for attackers; and 3) access to health records is crucial to patient care and increases the likelihood that victims will pay their attacker.
Stolen healthcare data is considerably more valuable than any other type of data. According to the FBI, cybercriminals can sell an Electronic Health Record (EHR) on the dark web for around $50, compared to just $1 for a stolen Social Security number or credit card number. Cybercriminals use EHRs to file fraudulent insurance claims and to obtain prescription medication, which they resell. EHR theft is much more difficult to detect, taking almost twice as long to report as a stolen credit card or suspected identity theft, and therefore, more attractive to criminals.
“A stolen Electronic Health Record can sell for $50, compared to $1 for a Social Security or credit card number.”
The healthcare industry also struggles with budget constraints that make it difficult to replace legacy software. (Black Book, 2020) Reports show most healthcare medical devices operate on legacy platforms (Forescout, 2019), and 56 percent of healthcare providers still rely on Windows 7 operating systems (Duo Security, 2019).
“56 percent of healthcare providers still rely on Windows 7 operating systems.”
One final reason healthcare is under cyber-attack: hospitals and health systems find it difficult to justify spending on cybersecurity because it is an investment that does not produce revenue. Unfortunately, healthcare organizations face a no-win choice: invest now to protect itself against cyber-attacks, or pay later for the remediation, regulatory fines, and lawsuits that a data breach inevitably brings.
Cybersecurity in healthcare is essential because it can directly impact patient care and affect the level of trust people place in hospital systems and medical providers. The first step to improving your security is to gain a complete understanding of your cyber-attack risk and identify gaps in your defenses. If you are concerned about your cyber-attack risk, or need an impartial second opinion, schedule a confidential conversation with one of our cybersecurity experts. Simply complete the form below – we’re here to help!
Fortress Security Risk Management is a global data protection company that helps organizations dramatically minimize their risk of disruption from unforeseen events like cyber-attacks. Our goal is to help every client achieve the highest degree of security and the least amount of risk their organization can afford, or what we call, SecurityCertaintySM.