In the past, we’ve discussed how there are a few sectors of the business world which are disproportionately affected by cyber-attacks. These sectors include school districts, law firms, accounting firms and healthcare, among others. They are more vulnerable because their focus is not on digital expertise – that requires secure information from their respective clients. It’s not that they don’t care about compliance or security, they absolutely do, but their primary focus is elsewhere. The problem is, when a business in one of these sectors is attacked, it can be detrimental to their clients.
With school districts, law firms and accounting firms, the detrimental impact is more related to identity theft, fraud and (potentially) embarrassing information becoming exposed. In healthcare, it can very literally mean someone’s life. This is an unfortunate occurrence, and while seemingly rare, it recently happened in Germany.
A woman with a life-threatening condition was turned away from Düsseldorf University Hospital because the facility was hit by a ransomware attack. They were unable to care for the woman because of the attack, so she was sent to a different hospital about 20 miles away. This caused around a one hour delay in care, which resulted in the woman’s death.
From Wired.com, “Düsseldorf police eventually communicated with the attackers and told them that the attack had hit a hospital treating emergency patients, not the university. The attackers reportedly withdrew the extortion demand and provided a decryption key to unlock the servers. The justice minister report said that the attackers are no longer reachable.”
This isn’t the first time a hospital or other medical facility has had business come to a screeching halt. Last year there was an attack on 10 hospitals which prevented the locations from accepting new patients. Three of those hospitals reportedly paid the ransom so they could get the decryption key and get their systems back online. Even though, in this case, the hospital wasn’t the actual target, this won’t be the last time it happens either.
Cybersecurity in healthcare cannot be overlooked and this is a prime example of why. Yes, this is an extreme situation, but it shows that it happens. Even attacks that don’t result in the death of a patient can hamper a facility with dangerous impacts. The incident also showcases why it’s so important to keep the infected machine connected to the broad internet. Yes, the attackers provided the decryption key because it was not their intent to attack a hospital. But the authorities lost their ability to trace, track and find the attackers when that connection was cut off.
The healthcare industry, along with a handful of others, are soft targets for hackers. Their primary goal is to care for sick people, and, especially if the facility is a non-profit organization, cybersecurity is a small portion of their budget. Again, it’s not that they don’t care or don’t want to protect the data under their charge. They simply do not have the means to do it. But that has to change. The healthcare industry needs to catch up, or the simple truth is that one day, a hacker is going to cripple the whole system and likely many folks will die as a result.