The health care sector is an attractive target for cyberattacks. Its status as a critical infrastructure embedded in geopolitical challenges prompts a continuing intensification of the potential threat as has been demonstrated by recent threats from Russian hackers (Cyber Security Insiders). Such new challenges must be countered by cost-efficient and effective measures of a functioning cyber-crisis management encompassing crisis communication, staff training, and investments in IT infrastructure determined to be essential during a cybersecurity assessment.
The Health Sector as an Attractive Target for Cyber Attacks
Cross-national cyberconflicts, the shadow economy of cybercrime, and cyber espionage have recently established a solid beachhead in the health care sector. Partially paralyzed by WannaCry in 2007, the UK’s National Health Services (NHS) could once again be the victim of attacks in the near future, this time from Russian hackers who have threatened to sabotage respirators in all hospitals in the United Kingdom. The rising number of attacks and an environment of ever greater threats during the Covid-19 pandemic have clearly revealed that investment in cybersecurity in health care is more urgent than ever. In 2021, criminal organizations and groups with close ties to governments attacked health care facilities specifically, and an estimated 104 healthcare organizations were infected with ransomware (Crowdstrike). Many of the attacks came from actors and hacker groups closely aligned with governments (Crowdstrike: Global Threat Report).
Nor was Germany spared; there was a ransomware attack on the University Hospital in Düsseldorf in 2020. The IT failure that resulted forced the transfer of a patient to another hospital; she did not survive the move (ZEIT Online). In Mobile County, USA, Springhill Medical Center was sued because a baby died at birth in 2019 owing to the malfunction of IT systems and poor communications originating as well from a ransomware attack (Wall Street Journal). The consequences of the attack: a partial breakdown of the hospital infrastructure and a breakdown in internal communications preventing the lead nurse and obstetrician from sharing the essential information that would have potentially saved the baby’s life.
The health care system is an especially attractive target for government-related operatives and hacker groups for two reasons. For one, it is the administrator of highly sensitive data that can be stolen, resold, and made public. For another, the health care system is a part of the critical infrastructure, which is why attacks on it can make countries vulnerable to extortion — especially in the current global conflict situation. The asymmetric distribution of resources exacerbates the threat environment for hospitals and health care providers who already struggle with severely limited financial resources even without the investment in cybersecurity (The Cyber Peace Institute). This raises the question of what measures hospitals can initiate to protect themselves effectively from cyberattacks.
4 Steps for Protection from Cyberattacks
1. Identify weaknesses and threats
Any decisions about the appropriate measures and investments must begin with an analysis of the current maturity level of the operation defining the initial situation, revealing weaknesses, and identifying threats. The valuation determines what systems are at particular risk and how their impairment would affect the performance of health care services.
The next step is the identification of the most effective technical measures for prevention or detection. This aids hospital management in making risk-based investment decisions and allocating scarce resources for the minimization of cyber risks. While hospital management may often have difficulty in justifying the major investment in IT security before a cyberattack, the costs after a successful cyberattack will be of far greater magnitude. Following a ransomware attack, operational activities at the Lukaskrankenhaus in Neuss were curtailed for days and the business suffered a loss of six to seven figures — not to mention the life-threatening consequences for the patients that cannot be quantified in monetary terms (Neue Züricher Zeitung).
2. Life or death communication
As can be seen in the example of the Springhill Medical Center, crisis communication plays a critical role. Cybercrisis preparation includes the establishment of redundant communication channels to ensure external and internal communication. Precise diagrams of the dependencies between commonly used communication channels, the provision of information, and the fundamental IT infrastructure must be prepared and “single points of failure” must be identified. What information does the workforce require? What systems provide this information, and what can be done to ensure that the information reaches the right internal target groups even in the event of an IT failure?
When managing individual health emergencies, the staff depends on a functioning communication system within the hospital. A well-prepared crisis communications plan can help to reduce the stress raised beyond normal levels during a cyberattack.
3. Prevention of social engineering through training and education
Crisis management and a communications plan will remain a paper tiger, however, if the staff is not instructed, trained, and guided through the emergency and crisis processes in advance. Hospital management, physicians, nurses, administration, and other internal stakeholders need to be familiar with the various processes, communication tools, and channels that come into play during an emergency or crisis situation. One possible response to the threat to the NHS could be the inclusion of facility management personnel in industry-specific security awareness training in addition to appropriate Operational Technology (OT) security for ventilation systems in hospitals.
Measures aimed at training personnel about social engineering attacks can also raise the security effectiveness of preventive safeguards. The human factor is a critical link in the chain of activities for the prevention of cyberattacks. Employees must be trained to recognize and report social engineering attacks. But to whom exactly do employees report an incident or suspicion? Without a primary reporting center and established processes, they are at a loss. Moreover, hospital management can issue guidelines that highlight the most important issues. One example would be a ban on the posting on social media of any pictures in which hospital identification can be recognized.
4. Health care sector under pressure to act
Cyberattacks on the health care sector are a frightening reality. The ransomware attacks on health care providers are too lucrative, the geopolitical leverage too strong. Hospitals, service providers, and many other stakeholders, including policymakers, face a mountain of challenges as they seek to reduce the risk of a successful cyberattack in the health care sector. Patients should not have to worry about the security of their data and the IT infrastructure in the hospital in addition to their health issues.
Prevention and readiness actions along with targeted investments in the IT infrastructure can increase the maturity level before a complete overhaul of the IT infrastructure is tackled. Digitalization in health care brings with it tremendous opportunities in terms of efficiency and quality of services, reduction of administrative costs, and accessibility. At the same time, investments in the security of this digital infrastructure must not be neglected. Digitalization of the health care sector must go hand in hand with the strengthening of cybersecurity to protect patients’ sensitive data and their lives.