Last September, infectious disease physician Hana Akselrod was already deep in the throes of the COVID-19 pandemic when another crisis took hold: Hackers deployed ransom-seeking malware (commonly called ransomware) on George Washington University Hospital's web of devices. Akselrod and colleagues suddenly lacked resources like electronic health records that facilitate quick and efficient care. Like the Colonial Pipeline ransomware attack this past May, much of the hospital system's critical infrastructure came to a screeching halt.
As the hospital shifted offline, the staff traveled two decades back in time: Like in Akselrod’s medical school days, the hospital had to rely on paper files and triple-check for any errors that are normally fixed by computers. Besides posing an inconvenience, the crisis also risked lives. The hospital was forced to divert ambulances because the overextended staff couldn’t take new admissions. The breach also interfered with urgent test results. For example, medical interns can usually refresh a patient’s chart to receive important test results right as they arrive. In the wake of the cyberattack, interns scrambled between floors to check with the lab and report back to doctors.
Such delays can be costly: If a test indicates a quickly moving infection like MRSA, Akselrod explains, physicians need to know as soon as possible and keep the individual stable before their condition deteriorates. To complicate things further, rapid COVID-19 PCR tests determine whether an incoming patient can share a room or requires isolation. A miscommunicated result led to accidental coronavirus exposure among Askelrod's colleagues during the September crisis. “In infectious disease [medicine], the ability to have quick communication between laboratories, medical teams, nurses and pharmacies will keep both the patients and the team safe and lets us treat those infections rapidly, which could be critical for the outcome of the patient,” says Akselrod, who was recently selected as the COVID-19 response lead for the GW Medical Faculty Associates.
All in all, the incident impacted 250 locations through the Universal Health Services system (UHS). This would prompt a headache at most office jobs, but it’s particularly distressing for workplaces where lives hang in the balance.
Hitting the Most Vulnerable
While cyberattacks on medical providers began cropping up around the early 2000s, the field's ransomware breaches nearly doubled in 2020. In perhaps the most highly publicized example, the 2017 WannaCry ransomware hack on the U.K.’s National Health Service affected over 80,000 hospitals, forced surgery cancellations and shuttered certain emergency departments. Last year, over a third of health care organizations said they had encountered ransomware, according to a survey by Sophos, a British cybersecurity company. And perpetrators’ financial demands are sharply rising: In one of the most striking examples, Ireland's health service was hit with a nearly $20 million ransom this past May (which officials vowed not to pay).
What’s more, plenty of these events go unreported because hospitals are only required to disclose them when hackers access protected information. In 2020, more than 18 million U.S. patient records were revealed to be compromised. Beyond revealing sensitive information like an individual’s HIV status, these attacks can waste precious time, and even cost lives. Last year, German prosecutors blamed an incident at a Düsseldorf clinic for a woman’s death. She had experienced an aneurysm, which requires immediate treatment, and passed away after traveling to a farther facility. For similar reasons, hospital hacks have also been associated with heart attack deaths.
One potential explanation for the rise in cyber crime: Medical organizations make an enticing target. Massive health care systems can link tens of thousands of locations that operate on a combination of wired and wireless networks. Once they’ve infiltrated a network via something as simple as a phishing email, hackers can move between geographic sites.
Most of these offenses occur simply because hackers scan the internet for vulnerable systems to prey on — they may not even know that they’ve breached a hospital based on the available information, says Christian Dameff, an emergency physician and clinical informaticist at the University of California, San Diego. He also serves as UCSD’s medical director of cybersecurity, and has pressured Congress to bolster government efforts against hacking threats.
In reality, ransomware groups (who likely work out of Russia and Eastern Europe) may just spot a major opportunity to infiltrate wide-reaching networks. Dameff cites the NHS incident as an example of an indiscriminate attack. The criminals behind it also ambushed a German railway company and French automaker Renault, among others. “I think the vast majority of attacks that hit health care are unintentional,” he says. “Just because they’re hospitals and take care of patients, they don’t just have some magical border around them wherein cyber criminals don’t attack.”
These breaches succeed by taking advantage of the industry’s digital push over the past two decades. Ultimately, this ongoing technological revolution aims to improve doctors’ ability to treat higher volumes of patients at once, which Akselrod says she has observed in her day-to-day work. But it does come with downsides.
Health Care’s Risky Digital Revolution
The shift toward technological efficiency hasn’t always included well-staffed IT teams or rigorous safety protocols. For instance, new medical devices take years to earn FDA approval and therefore can come with outdated software and operating systems that lack the latest security mechanisms. This has allowed ransomware to exploit certain vulnerabilities and disable medical imaging devices like MRIs. Beyond shutting down machines, hackers could even directly tamper with them. Recently, German medical manufacturer B. Braun shared that its IV pump had a vulnerability that would enable hackers to change medicine doses remotely.
These dangers may only worsen as providers embrace cloud computing, which can link a given facility’s myriad of devices and facilitate a quicker takeover. “I think we’re gonna be having cyber criminals not just attacking one-off devices and looking for them, but instead attacking critical cloud infrastructure to have a much bigger impact, which is potentially very concerning,” Dameff says.
Massive health care providers also hold enormous amounts of sensitive patient data. In fact, a 2009 law has compelled Medicare and Medicaid providers to adopt electronic health records — and, by extension, introduce a new security risk to facilities all over the country. This data can then be sold online, and hackers have demanded multi-million dollar ransoms to return it.
Despite clear warnings, health care administrators don’t always take the steps to protect their own workplaces. Between 40 and 60 percent of these organizations don’t run simulations for the technology failures that might arise during hacks, according to a 2018 survey by the Healthcare Information and Management Systems Society. That’s partly because providers already have plenty on their plates, Dameff explains. COVID-19 has provoked diffuse staff burnout and devastated the budgets of already cash-strapped hospitals. Even if organizations do seek out cybersecurity specialists, the country faces a shortage amid the rising demand from various industries, he adds. Plus, the HIMSS report revealed that most surveyed health care organizations spend six percent or less of their IT budgets on cybersecurity.
Cyber attacks only add to the flurry of emergencies that increasingly impact patient care, including climate change and emerging pandemics. Safety-net clinics and hospitals — which provide care regardless of one’s ability to pay — can afford far fewer defenses against these hazards than wealthier institutions. Some facilities may have to choose between strengthening cybersecurity and purchasing lifesaving equipment like a CT scanner to detect cancer, Dameff adds.
Through working with HIV (and more recently, COVID-19) patients, Akselrod has long witnessed how wealth and racial disparities spill into health care. Vulnerability to cyber attacks is no exception: A patient at her hospital contended with surgery delays during last year’s breach, and ultimately opted out of the procedure because she couldn’t pay for the extended stay. “Are cyber threats yet another of many emerging threats that have lower-income people in its crosshairs?” Akselrod says. “In part yes, because of systemic underinvestment. In another part, these are the people that, on an individual level, are least able to afford whatever additional costs the next threat incurs.”
Long-Overdue Investments
Dameff proposes both high- and low-tech solutions to prepare for oncoming waves of cyber hazards. For example, medical providers can segment their networks so that it’s harder to target a high volume of critical technology simultaneously. For example, hospitals can separate critical equipment like ventilators from computer workstations for another line of defense.
Plus, while users may find it slightly annoying, multi-factor authentication could protect employee accounts on institution websites (a common entry point) and stop criminals in their tracks. Meanwhile, administrators can prepare employees to work offline through regular simulations — it helps to establish reliable paper-based processes in case electronic health records and other important devices fail.
And we still don’t fully understand the extent of these incidents. To assess the full scope of U.S. cybercrimes and their impacts, Dameff envisions a comprehensive national registry that includes the number of corresponding deaths.
To Akselrod, the medical field’s lack of cyber crime preparedness is a symptom of a broader issue. Just as with emerging pandemics, it’s more common to react to such challenges rather than to try to tackle them before they arise. As with the movement toward preventive medicine, she hopes that health care providers can similarly work ahead of cyberattacks by listening to specialists. “We have a lot of expertise on these compounding threats, but we tend to use that expertise reactively — after a crisis has already occurred,” Akselrod says. “We need to make the investment today (and yesterday) to be ready for the next crisis that’s coming tomorrow.”