You may or may not know that the Healthcare sector pays the highest price to cyberattacks compared to any other sector – with the industry reporting a staggering average loss of $10.93 million per breach in 2023. This is almost double the next highest paying victim, the financial sector, which saw an average loss of $5.9 million per breach.

Healthcare is a prime target due to the extensive amount of personal and sensitive data that the sector handles, meaning there is less room for compromise. A recent example of an attack includes the alleged payment of around $22 million in bitcoin by UnitedHealth to ransomware group Blackcat (aka ALPHV) after a large data breach.

Cyberattacks in healthcare saw a marked increase during the COVID-19 pandemic. A 2021 large-scale survey in the US saw approximately 43% of respondents reporting that they had been subjected to two ransomware attacks in the preceding two years. According to a separate report, as of November 2023, nearly 60% of healthcare organisations worldwide suffered a cyberattack in the previous 12 months. Of those 60%, cybercriminals were able to successfully encrypt nearly 75% of data in ransomware attacks.

The rise in attacks has also been met with a marked decrease in the confidence that many organisations have in their ability to deal with the fallout of an attack. A report by the World Health Organization stated that “Interestingly, the proportion of respondents who lacked confidence in their organization’s ability to manage the risks associated with ransomware attacks increased during 2020–2021 to 61% from 55% pre-pandemic.”

With this rise in cyber-related crimes and falling levels in confidence, it is as important as ever for organisations to understand the impacts that attacks can have, and what they can do to mitigate risk – especially in the healthcare sector.

How cyber-attacks impact healthcare

Cyber security attacks on healthcare can directly impact the services that are provided to patients. We have seen examples of ransomware attacks on hospitals in Melbourne, Australia where key medical equipment was actually unavailable and services to patients were disrupted. Furthermore, once data is compromised, this data can be released in the dark web. Due to the sensitive nature of this data these attacks can lead to extreme privacy breaches where healthcare-related data is compromised and released to the public.

In addition to risks of a significant violation of privacy, ransomware is especially problematic in healthcare. In the worst-case scenario, this could lead to loss of life through disrupting medical equipment and services. This also brings up the ethical issue that ransomware is monetising the value of life by exploiting and profiting from holding potentially life-saving data to ransom. Since healthcare professionals have a duty to save lives, this situation makes them especially vulnerable to the malice of bad actors.

Other significant impacts include:

• Locking access to critical data and healthcare IT systems
• Risks to patient safety and treatments
• Financial losses
• Regulatory and legal liabilities risks

The vulnerabilities in healthcare

The primary vulnerabilities exploited include insecure remote access, poor password practises, lack of use of Multi-Factor Authentication (MFA), poor malware detection, and poor patching practices. The combination of these factors allows hackers to get into an environment and easily spread ransomware-type attacks.

The factors that contribute to these vulnerabilities include a poor understanding of the risks within the environment, lack of education with users, and in some cases lack of funding and expertise to address these vulnerabilities. Key mitigation activities include appropriate understanding of key cyber risks, adequate funding being made available and a strong cyber security culture being place through good user education and training.

With the advent of the Internet of Things (IoT), we are seeing a lot more devices connecting with each other and the internet. With the ability to connect to more devices and systems, that also opens the door for others to connect to you, making easier targets for hackers. Devices that are not actually secured appropriately can then be easily breached leading to service disruptions within the organisation. The introduction of Artificial Intelligence (AI) has also created more routes for bad actors to attack and breach. These range from using AI created deep fakes to obtain login credentials to using AI to scan for vulnerabilities and target them for exploitation.

What can organisations do to detect and disrupt attacks?

In terms of strategies that could be employed to minimise the disruption of services, healthcare organisations can perform a thorough risk analysis of both the IT and OT (Operational Technology) environments. Once the risks are understood, the organisation has the opportunity to remediate any gaps which will go a long way towards preventing IT and OT related service disruptions.

Ransomware is a type of attack that requires your response at the people, policy and technology levels. At the people level, a strong culture of cyber security needs to be embedded in the organisation through user education and training. This will help prevent and stop users from disclosing their login credentials as well as clicking on malicious links, attachments, and files that could allow malware to be downloaded onto their machines. At a policy level, strong user and technology related policies need to be in place that dictate the controls needed to prevent, respond to and recover from ransomware events. At a technology level, controls need to be put in place, such as robust email and web filtering, advanced malware protection, advanced network security devices, Managed Detection and Response (MDR) services coupled with isolated backup controls. These need to be backed up by strong IT disaster recovery and business continuity practices in the case of a successful ransomware attack.

There are different levels of key compliance requirements across the globe. In Australia specifically, the main initiative is the Privacy Act 1988. The act is specifically designed to protect PII (Personally Identifiable Information) and PHI (Personal/Protected Health Information) in particular. The Office of the Privacy Commissioner has published a guide on cyber security in Australia along with advice from the Australian Cyber Security Centre that outline steps for data security.

Around the world, compliance requirements are numerous. In the United States, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is perhaps the most prominent, setting out various guidelines and requirements to protect PII and PHI. And, of course, in Europe, the General Data Protection Regulation (GDPR) extends to the healthcare sector.

The takeaway

The healthcare sector faces a critical challenge in safeguarding itself from cyberattacks. The substantial cost of data breaches, disruption of services, and potential risk to patients underline the pressing need for enhanced cybersecurity measures. By implementing robust user education, deploying dependable technological solutions, and adhering to data privacy regulations, healthcare organisations can significantly reduce their vulnerability and protect sensitive patient information.

For more information, or if you would like to get in touch, please visit our risk advisory services page, or our healthcare and life sciences page.