Recent ransomware attacks highlight need for improved health care cybersecurity. Earlier this month, a cyber attack in Victoria, Australia targeted some of the state’s major regional hospitals. The suspected ransonware attack shut down booking systems at the facilities and administrators worried patient records had been compromised.
This recent attack and others over the past year have left many concerned about the state of health care cybersecurity. More and more hospitals are seeing increased connectivity as they implement new technologies and as a result, their IT systems have become more susceptible to cyber attacks.
To emphasize the threat, in May Victoria Auditor-General Andrew Greaves successfully hacked into the IT systems of some of the state’s biggest hospitals and accessed sensitive patient data. In a report detailing the importance of cybersecurity for health systems, Greaves explained that although tools like digital records have improved health systems, there are risks associated with using these tools.
“While digital records can improve patient care, a cybersecurity breach could alter or delete patients’ personal data or permit unauthorised access to this data. A breach could also disable health services’ ICT systems and prevent staff from accessing patient information,” Greaves wrote in a report. “Health services’ security measures protect their ICT systems and the infrastructure used to store patient data. However, human action—either unintentional or malicious—can undermine even the most sophisticated security controls. To manage the security risk, health services need a culture of security awareness, with their staff trained to identify and respond effectively to data security risks.”
Hackers are targeting health care systems in the United States as well. This month, a ransomware attack on the DCH Health System in Alabama forced three hospitals to stop accepting new patients.
Additionally, on Oct. 1, the U.S. Food and Drug Administration issued an alert warning of cybersecurity vulnerabilities in certain medical devices. These devices include certain kinds of imaging systems, infusion pumps, and anesthesia machines. According to the alert, software that can be used to exploit these vulnerabilities is already publicly available , though no breaches have been reported.
“These vulnerabilities may allow anyone to remotely take control of the medical device and change its function, cause denial of service, or cause information leaks or logical flaws, which may prevent device function,” the FDA alert said.
Despite the attention currently being paid to hospital cyber attacks in light of frequent incidents in recent months, health care cybersecurity isn’t a new issue. In 2018, the American Medical Association released a report highlighting the importance of cyber security in health care. The report included the results of a survey of 1,300 physicians around the United States.
According to the report, 83 percent of those surveyed had experienced some kind of cyber attack. One in two physicians said they are “very” or “extremely” concerned about future cyber attacks. And, 83 percent of physicians see the value of a security risk assessment and recognize that current measures aren’t enough to truly address cyber threats.
The health care system isn’t the only sector with growing cybersecurity concerns. According to the August 2019 McAfee Labs Threat Report, ransomware attacks across all industries grew by 118 percent in the first quarter of the year.
Similarly, this month, software company Tripwire released the results of a survey of cybersecurity professionals. According to the company’s report, most organizations are worried about cyberattacks having physical operational consequences and business impacts.
In Tripwire’s survey, nearly 50 percent of survey respondents said current investments investments in cybersecurity are not enough. Additionally, half of those surveyed said their company had suffered an outage or data loss during the past 12 months and half said they expect an attack on critical infrastructure within the next 12 months.