In the field of healthcare, taking care of sensitive data is as important as the care physicians take with the patients themselves. It’s particularly important when attacks on healthcare have been on the rise worldwide.
Healthcare organisations in the U.S., U.K. and Australia all experienced serious data hacks in 2022. In the U.S., the data of 2 million patients was lost to hackers over a three-week period, while in Australia, the results of the hack left 10 million patients with vulnerable data being broadcast in the public sphere. Elsewhere, in the U.K., the National Health Service (NHS) was declared a “cybersecurity disaster” after being hacked multiple times in a row.
These attacks present significant challenges for the medical community, but they can affect anyone, anywhere, making them a serious issue. The problem won’t be solved by hospitals alone. Governments and institutions must work together to create a safe and secure environment for patient data.
So the problem is clearly widespread, but why are hackers attacking healthcare more frequently?
What’s their motive?
Hackers are increasingly acting in organised crime groups that often perform state-sponsored activities but also seek money on the side. Forget your classic image of a hacker working out of his mom’s spare bedroom — these groups run professional operations and recruit computer scientists straight out of school or run sophisticated internal schools themselves. Hospitals need to catch up with how hackers have grown.
It’s usually the goal of a hacker to disrupt public infrastructure, which makes hospitals ideal targets, as they now present a far more valuable opportunity for a ransom attack.
While digital transformation is rife across industries, hospitals have been slowly digitising their processes and patient care for many years. More asynchronous working patterns have also increased the need for captured patient data to be easily accessible and shareable. With more patient data in the systems, hospitals become an easy and attractive target.
As a result of more data, the opportunities for hackers to enter and exploit the system have also proliferated. Data systems have become a hospital’s most vital tool for working and many would rather pay a ransom to restore its operations than lose the functionality of their digital networks.
This leaves hospitals vulnerable to attack. And even if they were to pay the ransom, they are left in the dubious position of having to trust that the attacker has deleted any stolen data rather than selling it on the black market. Hospitals legally must disclose data breaches to the government based on the number of patients impacted, but this current situation places the burden of responsibility in dealing with an attack on hospitals alone.
Actions and consequences
Without help from governments to deal with data attacks, it’s not just hospitals that are left vulnerable, the patients also suffer — and that could mean anyone.
Attacks might also not be immediately obvious. A phishing scam, for example, could be as easy as tricking an employee into sharing a sensitive report with someone posing as their boss. An employee might also be blackmailed by an attacker. An attacker could also offer a financial incentive to an unhappy worker willing to share private data. Ransomware can just as easily encrypt a whole system, making it unusable unless the hospital pays to unlock it.
The consequences of these actions range in their significance from inconvenient to life endangering. Keeping patients out of harm has never been more critical in today’s political climate. For instance, as legalities continue to play out over abortion rights in the U.S., if procedure data was leaked, in some states, it could be considered a felony with severe implications for the patient.
As hospital systems continue to modernise, it’s essential that we don’t see a monopoly in the market when it comes to security software. Consolidating too far in this area would reduce the impetus for innovation and have too many hospitals operating under a single system, making it potentially easier for hackers to reach more hospitals at once. Governments need to step in to prevent a lack of choice from creating additional security risks.
Right now, the most common response from a government would strongly recommend guidelines that put the responsibility on having backups and protocols in place on the hospitals. Governments don’t want hospitals to pay, but they also aren’t fully present to help hospitals through the challenges and complexities of the situation.
Just like a bank robbery or hostage situation, governments need to take the burden off hospitals when it comes to data breaches. With anyone in their population, including themselves, at risk of attack, it is in everyone’s best interest for local and governmental organisations to help restore and secure hospital systems and to take over negotiations with hackers, so hospitals feel less inclined to pay the problem away.