Healthcare organisations are at a greater risk of cyber attack than ever before due in large part to the Covid-19 pandemic, a new report outlines.
The pandemic saw a sudden global shift towards digitalisation as people moved to virtual contact and sectors rapidly adopted an array of new technologies. The healthcare sector wasn’t exempt, and a push towards virtual care drove the widespread introduction of remote monitoring devices, telemedicine and connected equipment.
As a result, there was an immediate increase in attack surface, and the speed of healthcare's transition meant that many systems were inadequately protected as cybersecurity teams became overstretched.
These points are considered by GlobalData’s new Cybersecurity in Healthcare (2024) report, which notes: “The rush to shift from office-based work to remote working and from in-person care to virtual care caused by the Covid-19 pandemic significantly increased cyber risk.
“The increased use of technology – especially cloud technology and connected devices – increased the potential attack surface, and the high speed of the transition meant many IT security teams had insufficient time to install adequate security defences. Companies moved more sensitive operations and information online than ever before, making attacks more costly.”
More frequent attacks
Last month, London hospitals were hit by a cyberattack which reportedly had a major impact on Guy’s and St Thomas’ NHS trust, with blood transfusions being particularly affected. The attack is thought to have been a result of a piece of software inserted into Synnovis’s IT system by the hackers. In the first week, 800 planned operations and 700 outpatient appointments had to be rearranged.
A month earlier, NHS Dumfries and Galloway confirmed that the mental health data of some children had been published following a cyberattack.
Considering cybersecurity in healthcare, GlobalData’s report notes that, during the Covid-19 pandemic, “the stress and urgency placed on hospitals weakened their resilience to attacks, making them more attractive targets for attackers. Critical Insight reported that cyberattacks on healthcare companies increased by 35% in H1 2021.”
The report offers the example of an attack at the beginning of lockdown in March 2020, which forced Brno University Hospital (a leading testing centre in the Czech Republic) to postpone surgeries and tests.
Later, in September 2020, University Hospital Düsseldorf experienced a cyberattack, which forced the hospital to de-register from providing emergency care. A 78-year-old woman who experienced an aortic aneurysm was diverted to Helios University Hospital, 32km away. She died after her treatment was delayed by an hour.
Eight months later, in May 2021, the Conti Ransomware Gang compromised the Irish Health Service Executive (HSE) in what the WHO called “one of the largest, most devastating attacks on healthcare”. A spreadsheet was downloaded from a phishing email, resulting in the spread of malware, which resulted in around 80% of data in the HSE system being encrypted and the national diagnostic imaging platform becoming inaccessible.
Why healthcare became vulnerable
Reflecting on the cybersecurity weaknesses exposed by healthcare's pandemic-driven digitalisation, GlobalData’s report explains: “Soon after the lockdowns began, law enforcement agencies warned that malicious actors were piggybacking on the vulnerabilities created by the pandemic to further their attacks. Examples included phishing emails relating to the sales of fake test kits and personal protective equipment. In one case, android spyware was used to mimic the Johns Hopkins COVID-19 case dashboard, which provided data on Covid-19 infections and death rates.”
The report also considers that attackers would target remote working tools, using the new systems of home-working to their advantage. According to cybersecurity company Darktrace, 12% of the UK’s malicious email traffic was directed to home workers pre-lockdown, compared to 60% six weeks later.
These attacks could include requests by hackers to reset virtual private network (VPN) accounts, false sign-in pages, or fake chat requests from colleagues on professional messaging platforms.
Connected internet-of-things (IoT) devices are also vulnerable by nature, as they collect, transmit, and receive data over the internet or other networks. This data could include sensitive patient data, and attacks on facilities could cause downtime extending months.
Considering the future of cybersecurity in healthcare post-Covid, GlobalData’s report says: “Between 2022 and 2027, GlobalData forecasts show cybersecurity spending by healthcare providers growing at a compound annual growth rate (CAGR) of 12.5% from $6.1bn to $10.9bn.
“In the same period, cybersecurity spending by pharma companies will grow at a slightly higher rate, 13.0%, from $1.6bn to $3.0bn. Medical device spending will grow at a rate of 12.9% from $631.2m to $1.2bn.”