How Cyberattacks Put Patients at Risk

On September 27, 2024, UMC Health System in Lubbock, Texas, experienced an IT outage due to a cybersecurity incident that temporarily diverted patients to other healthcare facilities. So far, this year, there have been 386 cyberattacks on healthcare organizations. These high-impact ransomware attacks disrupt and delay patient care.

In recent years, many healthcare systems, including Scripps Health, Universal Health Services, Vastaamo, Sky Lakes, and the University of Vermont, have paid millions — even tens of millions — to recover data after a cyberattack or data breach. When healthcare systems come under cyber fire, the impact extends far past disrupting workflows and compromising data, patient safety can be also be compromised, vital information may be lost, and imaging and lab results can go missing or be held for ransom, making physicians’ job difficult or impossible.

In fact, cyberattacks on hospitals are far more common than you may realize. A new report issued by Ponemon and Proofpoint found that 92% of healthcare organizations have experienced a cyberattack in the past 12 months. Even more sobering is that about half of the organizations affected suffered disruptions in patient care.

Healthcare Systems = ‘Soft Targets’

Healthcare systems are a “soft target” for hackers for several reasons, pointed out Matthew Radolec, vice president, incident response and cloud operations at Varonis, a data security company. “One, they’re usually an amalgamation of many healthcare systems that are interconnected,” said Radolec. “A lot of hospitals are connected to other hospitals or connected to educational institutions, which means their computer vulnerabilities are shared…and if they have an issue, it could very easily spread to your network.”

Another factor is the cost of securing data. “[With hospitals], they’ll say that a dollar spent on security is a dollar not spent on patient care,” said Radolec. “So the idea of investing in security is really tough from a budget standpoint…they’re choosing between a new MRI machine or better antivirus, backups, or data security.”

Because of the wealth of private data and healthcare information they maintain, hospitals are considered “high impact” for cybercriminals. Attackers know that if they get a foothold in a hospital, it’s more likely to pay — and pay quickly, Radolec told Medscape Medical News. Hospitals are also likely to have cyber insurance to help cover the cost of having their data stolen, encrypted, and ransomed.

The 2024 Microsoft Digital Defense Report also found that the bad actors are more sophisticated and better resourced and can challenge even the best cybersecurity. Improved defenses may not be good enough, and the sheer volume of attacks must be met with effective deterrence and government solutions that impose consequences for cybercriminals.

Vulnerable Users

Whether through a phishing email or text, password attack, or web attack, “the moment a ‘threat actor’ gets into your institution and gets credentials…that’s the Nirvana state of a threat actor,” warned Ryan Witt, chair of the healthcare customer advisory board and vice president of Industry Solutions at Proofpoint, a cybersecurity platform. “They have those credentials and will go into deep reconnaissance mode. It often takes healthcare up to 6 months to even ascertain whether somebody’ s actually in the network.” During that time, the hacker is learning how the institution works, what job functions matter, and how best to plan their attack.

“Attackers are getting in because they’re buying databases of usernames and passwords. And they’re trying them by the millions,” added Radolec. “For a sophisticated actor, all it takes is time and motivation. They have the skills. It’s just a matter of how persistent they want to be.”

Certain hospital staff are also more likely to be targeted by cyberhackers than others. “About 10% of a healthcare organization’s user base is much more vulnerable for all sorts of reasons — how they work, the value of their job title and job function, and therefore their access to systems,” said Witt.

High-profile staff are more likely to be targeted than those in lower-level positions; the so-called “CEO attack” is typical. However, staff in other hospital departments are also subject to cybercriminals, including hospice departments/hospice organizations and research arms of hospitals.

The Impact of Cyberattacks on Patients 

Physicians and healthcare execs may have considered cybersecurity more of a compliance issue than a true threat to patients in the past. But this attitude is rapidly changing. “We are starting to see a very clear connection between a cyber event and how it can impact patient care and patient safety,” said Witt.

According to the Proofpoint report, cyber breaches can severely affect patient care. In 2024:

• 56% of respondents saw a delay in patient tests/procedures
• 53% experienced increased patient complications from medical procedures
• 52% noted a longer patient length of stay
• 44% saw an increase in patient transfers to other facilities
• 28% had an increase in mortality rate

What Hospitals and Physicians Can Do

Fortunately, hospitals can take measures to better protect their data and their patients. One strategy is segmenting networks to reduce the amount of data or systems one person or system can access. Educating staff about the dangers of phishing and spoofing emails also help protect organizations from ransomware attacks. Having staff avoid reusing passwords and updating logins and passwords frequently helps.

Most hospitals also need more robust security controls. Physicians and healthcare facilities must also embrace the cybersecurity controls found in other industries, said Witt. “Multifactor authentication is one of those things that can cause us frustration,” he said. “The controls can seem onerous, but they’re really valuable overall…and should become standard practice.”

Doctors can also prepare for a ransomware attack and protect patients by practicing some “old-school” medicine, like using paper systems and maintaining good patient notes — often, those notes are synced locally as well as offsite, so you’d be able to access them even during a data breach. “It’s smart to write prescriptions on pads sometimes,” said Radolec. “Don’t forget how to do those things because that will make you more resilient in the event of a ransomware attack.”

A Continuing Threat

Cyberattacks will continue. “When you look at the high likelihood [of success] and the soft target, you end up with…a perfect storm,” said Radolec. “Hospitals have a lot of vulnerabilities. They have to keep operations going just to receive income, but also to deliver care to people.”

That means that the burden is on healthcare organizations — including physicians, nurses, staff, and C-level execs — to help keep the “security” in cybersecurity. “We are all part of the cybersecurity defense,” said Witt. Helping to maintain that defense has become a critical aspect of caring for patients.

Kelly K. James is a freelancer, content manager, and author of The Book That (Almost) Got Me Fired: How I (Barely) Survived a Year in Corporate America. She covers health/wellness, business/career, and psychology topics from her home in the Chicago suburbs.