Get new exclusive access to healthcare business reports & breaking news
When the average person hears the term cyberattack, they often picture teams of hackers sitting in dark rooms breaking into banks or stealing secrets from the government – an image that has been perpetuated by popular media. Still, the truth is much different and often much darker. Healthcare providers are often a target of these attacks, and the damage done can be devastating.
Why do healthcare providers experience the most cyberattacks? Let’s look at some of the most recent attacks and where healthcare providers can make changes to prevent these attacks from happening in the future.
The healthcare industry is one of the biggest and most lucrative targets for malicious cyberattacks. Since 2009, more than 3,000 data breaches have resulted in upwards of 267 million compromised medical records. There were 642 breaches of 500 or more records in 2020 alone, with these attacks being cited as the top health tech hazard for 2022.
Some of the most significant or most impactful breaches in recent memory include:
Sometimes one malicious email is all it takes to breach an otherwise secure system. In 2014, a Premera Blue Cross employee received an email with an infected attachment. Once downloaded, that malware allowed hackers to enter Premera’s systems, granting them access to information on more than 11 million patients.
Premera ended up settling a class-action lawsuit for $74 million due to the breach and because they didn’t detect it for eight months.
The 2015 Anthem breach is still one of the most significant healthcare cyberattacks on record. Like Premera, hackers were able to access Anthem’s systems through a phishing email and a malware-infected attachment.
This breach compromised Social Security numbers, insurance information, and more from more than 78.8 million people. As a result, Anthem nearly tripled its cybersecurity budget to prevent this sort of attack from happening again.
While it isn’t the first of its kind, the WannaCry ransomware attack of 2017 put this type of cyberattack on the map.
Hackers could shut down nearly a third of NHS hospitals in the U.K. with this type of attack. Ambulances had to be rerouted, and while no deaths were directly attributed to this attack, a similar attack on a German hospital in 2020 resulted in one woman’s death after she had to be rerouted to another facility.
Phishing and ransomware aren’t the only ways to breach a healthcare system. In 2018, bad actors hacked American Medical Collection Agency’s online payment portal. This company handled billing and collection services for laboratories like Quest Diagnostics and Lab Corp.
The hack affected more than 26 million people, and the company was forced to move its payment portal to a third-party vendor.
The Magellan Health attack of 2020, which happened in the early months of the COVID-19 pandemic, was a combination attack. A phishing email delivered malware, and once that was in place, hackers were able to steal protected information and then place a ransomware program in the system to extort the company for more money.
More than 1.7 million patient records were compromised. While there is no official price tag for this attack yet, former Magellan employees have filed a class-action lawsuit against the company.
Ransomware struck United Healthcare Services, which works in both the U.S. and U.K., in 2020. Unlike the WannaCry attack, which was over in a few days, this ransomware attack crippled the company’s entire IT network. Employees had to resort to using paper records, taking more than a month to recover from the attack.
As a result, agencies like the U.S. Cybersecurity & Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and the FBI issued a joint statement warning that increased cyberattacks against the healthcare system were a growing and imminent threat.
This list is just a sampling of the growing number of cyberattacks impacting the healthcare industry. Why is medicine as a whole such a popular target?
The healthcare cybersecurity market is expected to be worth more than $8.7 billion by 2023. Healthcare might not seem like an obvious target, but there are many lucrative resources within the industry that hackers and other bad actors can take advantage of, including:
In 2014, Reuters reported that medical information was worth 10 times more than credit card information on the black market. The number has not changed much in the intervening years, but the threat is direr than ever before.
A patient’s protected information contains everything – home address and phone number, Social Security number, medical history, insurance information, and in some cases, credit card numbers.
Patients don’t monitor their health information the same way they do their credit reports, which means it takes longer to discover the breach. While this information is in hackers’ hands, they can purchase prescriptions, make false claims, or buy expensive equipment, all on the patient’s tab. Medical professionals are obligated to protect this information and can face steep fines and legal action if they fail.
More medical devices are joining the Internet of Things every year. Insulin pumps and glucose monitors, pacemakers, and others are easy to access remotely for the patient – and for savvy hackers who can use that access as a back door to collect patient information. In addition to putting patient data at risk, hackers could use this access to harm or even kill someone.
Hacking a pacemaker could allow them to change the person’s heart rate. Hacking an insulin pump could make it possible to deliver a fatal dose of the otherwise lifesaving substance. Even cochlear implants, though not life-threatening, could provide access for savvy hackers. Manufacturers must consider this when designing components for the medical IoT. Black hat hackers are quick to exploit any back door or vulnerability they can find.
Remote access and telehealth were starting to pick up steam when the COVID-19 pandemic made them essential. Though the pandemic is winding down, the trend of telehealth and providing remote access for medical professionals on-the-go is continuing to gain momentum. People love the convenience of talking to a doctor from the comfort of their home, but it can create a massive security risk.
Each new device connected to a secure network creates one more potential entry point for hackers and bad actors. Since telehealth has become so popular, going back isn’t an option, which requires more investments in cybersecurity, stricter protocols to protect patient information, and more emphasis on proactive prevention instead of reactive intervention.
Microsoft stopped supporting its Windows XP operating system in 2014. Despite this fact, by the time the WannaCry hack hit the NHS in 2017, more than 4.7% of the organization’s computers were still using this outdated software.
Even upgrading to Windows 7 – the next stable operating system after XP – wouldn’t help, because Microsoft stopped offering support for that system in 2020. Plans were put in place to upgrade all NHS computers to Windows 10, but after the 2020 cutoff date, more than half a million NHS computers were still running on Windows 7.
The NHS example is just one of many. Healthcare providers often hesitate to upgrade their technology because of costs, worries that it will compromise their service, or a hidebound sense of loyalty to their existing systems. The problem with this mentality is that it opens the door to hacks and breaches and puts patient information at risk.
The internet of things is an invaluable tool, but it can also create a massive vulnerability in cybersecurity. The more devices connected to a network, the easier it is for hackers to find a way in. This becomes even more difficult when considering the problem of default passwords.
In 2016, a massive Distributed Denial of Service (DDoS) attack took down large swaths of the internet. Hackers were able to overload critical servers and deny access to users across the globe by creating a botnet – connecting hundreds or thousands of IoT devices that they could access because the owner did not change the default password. Easy-to-guess passwords, like “admin” or “12345,” turn IoT devices into prime real estate for hackers.
There is no single solution to the risk of data breaches in the healthcare industry. As long as privileged medical information is a lucrative black-market business, bad actors and black hat hackers will be trying to make their way into secure networks. The most significant risks often involve old equipment, but any network can be compromised by a well-placed phishing email in an unwary employee’s inbox.
Healthcare providers may experience the most targeted data breaches, but that doesn’t mean they can sit back and allow them to happen. Taking proactive steps to increase cybersecurity and reduce the risk of data breaches can help protect patients moving forward. Hackers and bad actors are always looking for new ways to exploit privileged patient information. Don’t make it easy for them.