The healthcare industry is already strained beneath the COVID-19 pandemic. Cyber-attacks look to exploit that strain and wreak havoc on the industry worldwide.
Healthcare systems are widely known to be vulnerable to cyber-attacks. They are considered a soft target for hackers because they lack the budget and/or knowledge to keep their systems under tight security. They do what they can to stay within compliance guidelines, but they simply don’t have what is needed to keep their systems updated and locked down. This is evidenced by the recent onslaught of attacks on healthcare systems worldwide.
Most recently, Universal Health Services was targeted. An attack on their U.S.-based locations began on the morning of September 27th. On the 29th, two full days later, the company issued a statement that said, in part, “The IT Network across Universal Health Services (UHS) facilities is currently offline, as the company works through a security incident caused by malware. The cyber attack occurred early Sunday morning, at which time the company shut down all networks across the U.S. enterprise. We have no indication at this time that any patient or employee data has been accessed, copied or misused. The company’s UK operations have not been impacted.”
The statement also indicates that there may be “temporary disruptions” to certain functions, but impacted facilities are using their established backup processes to function. They also state that they have “no evidence that patient or employee data was accessed, copied or misused.” As of this writing, they have not released any additional information or provided updates since that statement was posted to their website at 7pm on 9/29.
Cyber-attacks of any kind can be incredibly detrimental to healthcare systems. It’s not just about exposing patient or employee information or medical records, it’s about an attack throttling their systems. Right now, in the midst of the COVID-19 pandemic, medical facilities across the globe are already strained. They are working at full capacity, trying to ensure that the people who need their help can get it. Because our world is so entrenched in technology, when hospital or clinic systems are impacted, it makes healthcare workers jobs that much harder. Most of them have backup protocols and processes in place, but it certainly diminishes the level of care a patient receives.
“When nurses and physicians can’t access labs, radiology or cardiology reports, that can dramatically slow down treatment, and in extreme cases, force re-routing for critical care to other treatment centers,” he said (Kenneth White, computer security engineer, via NBC). “When these systems go down, there is the very real possibility that people can die.”
This was evidenced just last week when a German woman was turned away from Düsseldorf University Hospital because it was under a ransomware attack. She had a life-threatening condition and the next hospital was 20 miles away. She died as a result of having to travel to a facility farther away.
Through the first half of 2020, the 10 largest data breaches exposed over 3.5 million patient records. That is only the top 10, and it doesn’t include anything after June. It also doesn’t include any injuries, worsening of problems or deaths related to these attacks. It doesn’t show the additional strain placed on nurses, doctors, administrators and other staff affected by these events. It doesn’t depict the impact on admitted patients who may have experienced delays in care. And it doesn’t cover the cost to the facilities for these events. Costs which include incident response, fixing the exploited vulnerability, legal fees and reparations to affected patients and employees.
Our healthcare systems around the world are more vulnerable than ever to cyber-attacks. Their primary focus is to care for the people under their charge, and right now, they are so strained that thinking beyond that is difficult. But this is why we say that cybersecurity in healthcare cannot be overlooked. Healthcare systems and providers must find a way to protect themselves, their patients, their staff and business partners from being exposed. Unfortunately, this problem isn’t going to go anywhere until the industry catches up. Let’s hope that happens sooner than later.