By Philips ∙ August 26, 2024 ∙ 4 min read
Healthcare is a critical, vulnerable and high-value target for cyber criminals. Spurred on by rampant system obsolescence and high-value data, annual ransomware attacks on healthcare institutions have nearly doubled since 2022.1 The complex infrastructure and integration of dozens of connected devices makes defense of hospital systems particularly difficult. However, medical systems are designed to withstand the threats that healthcare is facing. Data security best practices, bolstered by Philips healthcare-specific technology and solutions, can help you defend against ransomware attacks.
The effects of ransomware attacks on healthcare organizations are far-reaching. A study of ransomware attacks perpetrated against healthcare organizations between 2016 and 2021 found that 44.4% of the attacks disrupted delivery of healthcare, including electronic system downtime (41.7%), cancellations of scheduled care (10.2%) and ambulance diversion (4.3%).2 Citing initial findings of a study, a health economist at the University of Minnesota said in-hospital mortality increases about 20-35% for patients who have the misfortune to be admitted to a hospital when it goes through a ransomware attack.3 Ransomware can also affect your administrative operations, including billing and payroll and result in significant reputational harm.
Cyberattacks can disrupt critical systems making data inaccessible and jeopardizing the ability of health systems to maintain patient safety and provide timely care. Ultimately, patients suffer the most in these situations. Clinicians may be unable to perform procedures or prescribe medication, while pharmacies struggle to access information for fulfilling prescriptions. Furthermore, the organization's billing processes become inefficient, affecting the number of patients they can accommodate.
However you are not at the mercy of cyber criminals. There are steps that you can take to mitigate your risk of a ransomware attack, including understanding why healthcare organizations are at risk, how cyber criminals operate and how partnering with companies like Philips that prioritize cybersecurity in software development can help protect your organization.
Health systems are particularly attractive targets for ransomware, due to a combination of digitalization of healthcare information, complex networks with many points of access, devices that have not been updated with the latest security software, human factors and lack of control.
Medical devices and low-security wearables are increasingly connected to the internet, providing gateways to hospital networks. In particular, devices with infrequent patch cycles may lack protection against the latest malware. Another factor is that the supply chains in healthcare have become increasingly complex and even the smallest healthcare system involves many moving parts. This complexity, compounded by the many third-party vendors and suppliers that are connected to hospital systems, makes it nearly impossible for hospitals to have full visibility and control over every aspect of their networks and amplifies the risk and potential effect of a cyberattack.
Among the human factors are clinical and administrative workforce shortages. Given fewer staff and longer working hours, cybersecurity can become deprioritized, leading to mistakes and opening the door for cyberattacks.
Cybersecurity education may also be deprioritized, leading to employees unwittingly helping cyber criminals. National Institute of Health reported that 90% of breaches begin through phishing (mass email) or spear phishing (targeted emails).4 In both cases, hackers use deceptive emails or websites to gather information – for example, PACS login credentials. The report cited an American study that found healthcare workers clicked on one out of every seven simulated phishing emails.
In 2024, the average cost of a healthcare data breach is $9.77 million.5
Electronic health records (EHRs), which have facilitated the ability to efficiently share up-to-date patient data for better patient care, also provide a target-rich environment of valuable data that is very attractive to cybercriminals.
Once ransomware encrypts an organization’s files, it prompts the user to pay a ransom. For the impacted healthcare organization, it’s a race against the clock to re-establish control of its system access and/or patient data. For a large health system, backing up millions of records is a time-consuming process that can’t be accomplished in the time allotted and the hackers are all too aware of that. If a data backup is unavailable or those backups were themselves encrypted, the victim is faced with paying the ransom to recover files.6 In many cases, healthcare organizations are willing to pay to restore services and avoid public embarrassment and loss of trust.
Even if the healthcare organization refuses to pay, the threat actors can still make money by selling the information on the dark web. Protected health information (PHI) is more valuable than other data because can be broadly exploited, including to file fraudulent insurance claims, purchase false prescriptions or receive treatment.7 Stolen records are a commodity and how much they sell for depends as much on the source as it does on supply and demand. In a March 2024 broadcast, a cybersecurity researcher interviewed on CNBC said that medical records are sold for approximately $60 on the dark web, compared to Social Security numbers at $15 and credit card information at $3.8
Cedric L. Truss, Program Director and Clinical Assistant Professor of Health Informatics at Georgia State University, recommends that organizations take several logical steps to prevent a ransomware attack,6
including:
Philips adheres to a comprehensive cybersecurity policy that includes staying on top of emerging security vulnerabilities and potential external threats and collaborating with regulatory agencies, industry partners and healthcare providers, among others, to close security loopholes and implement safeguards.
Radiology Informatics implements cybersecurity guidelines in the full lifecycle of their product and a services development. Radiology Informatics development fully embeds valuable security standards like NIST, ISO, DICOM, IHE and DIACAP (now RMF). Additionally, we carefully review international laws ranging from HIPAA to the EU Data Protection Directive to identify product requirements and implement the latest guidance. The Product Security Framework ensures medical devices are designed with a defense-in-depth strategy, incorporating multiple layers of security controls spanning application, computing, data and network security. These controls, aligned with global security standards are meticulously integrated into our medical solutions to mitigate cyber threats effectively.
In line with industry-standard best practices, the cybersecurity measures we implement in Radiology Informatics include:
[1] Ransomware Attacks Surge in 2023; Attacks on Healthcare Sector Nearly Double. CTIIC. 28 February 2024. www.dni.gov/files/CTIIC/documents/products/Ransomware_Attacks_Surge_in_2023.pdf [2] Neprash H. McGlave C. Cross D. et al. Trends in Ransomware Attacks on US Hospitals, Clinics and Other Health Care Delivery Organizations, 2016-2021. JAMA Health Forum. 2022;3(12):e224873. doi:10.1001/jamahealthforum.2022.4873. [3] Levi R. Ransomware Attacks Against Hospitals Put Patients’ Lives at Risk, Researchers Say. Morning Edition. October 20, 2023. www.npr.org/2023/10/20/1207367397/ransomware-attacks-against-hospitals-put-patients-lives-at-risk-researchers-say [4] Owens B. How Hospitals Can Protect Themselves from Cyber Attack. CMAJ. 2020 Jan 27; 192(4): E101–E102. doi: 10.1503/cmaj.1095841 www.ncbi.nlm.nih.gov/pmc/articles/PMC6989022/ [5] Southwick, R. Healthcare data breaches remain most expensive of any industry. Chief Healthcare Executve. 30 July 2024. www.chiefhealthcareexecutive.com/view/healthcare-data-breaches-remain-most-expensive-of-any-industry [6] Truss C. Taking Steps to Prevent the Rise of Ransomware Attacks in Healthcare. [7] GWhy is PHI Valuable to Hackers? Blog. January 25, 2022. www.accountablehq.com/post/why-is-phi-valuable-to-hackers/ [8] Diaz N. How Much Money Are Hackers Selling Medical Records For? Becker’s Health IT. March 15, 2024. www.beckershospitalreview.com/cybersecurity/how-much-money-are-hackers-selling-medical-records-for.html *Availability restricted to some geographical areas
www.himss.org/resources/taking-steps-prevent-rise-ransomware-attacks-healthcare. August 24, 2021
You are about to visit a Philips global content page
Continue