Cyber attacks on medical facilities such as hospitals have been on the rise year on year with malware and ransomware attacks crippling hospitals and health systems worldwide.
The US Federal Bureau of Investigation (FBI) issued a report that found that in 2022 there were 210 ransomware attacks on healthcare facilities, with the overall rate of cyber-attacks in 2023 doubling from 2021.
An international survey conducted by UK cybersecurity company Sophos found that only 24% of healthcare organisations were able to disrupt a ransomware attack before the attackers encrypted their data - down from 34% in 2022.
Most ransomware attacks take the form of software that encrypts data pivotal to the functioning of a hospital, such as patient records and access to critical software, holding it at ransom until the victim agrees to pay for access to get their network returned. In the case of healthcare facilities this can be devastating, leading to cancelled surgeries, compromised patient records and hours of lost revenue.
The same Sophos study also found that in 75% of cases, attackers were able to encrypt the victim organisation’s files, up from the 61% of healthcare organisations that reported having their data encrypted last year.
In one such example, a US healthcare provider operating 30 hospitals and numerous clinical facilities across multiple states was hit by a ransomware attack on Thanksgiving that caused the closure of emergency and critical care wards. The company also confirmed that a number of surgeries were also paused while the provider worked to get its systems back amid a full police investigation.
The 23 November 2023 attack prompted the company to attempt to regain full control of its network, with the company announcing it was able to fully free itself from the ransomware attackers on 9 January.
Given the nature and severity of malware attacks on hospitals, it is no surprise that the healthcare-centric cybersecurity market is flourishing as the severity of digital threats continues to escalate. According to GlobalData forecasts, the global cybersecurity market will be worth $334bn by 2030, having grown at a compound annual growth rate (CAGR) of 10% between 2022 and 2030.
The same report also detailed how the US has been leading the way in patenting new cybersecurity software over the last four years, with more than 6,000 patents filed. More than 500 of those patents were published by US pharma and device giant Johnson & Johnson.
Points of vulnerability
Most malware and cyber-attacks start by exploiting single points of vulnerability in a network. These can range from something as simple as an intruder guessing or using an available password, to complex social engineering scams known as phishing attacks, where a user is tricked into allowing malicious files into the system. However, the burgeoning nature of the medical device market and its increased connectivity has also created holes that many device manufacturers are racing to plug.
Responding to this, GlobalData predicts that the cybersecurity in medical device market will continue to grow, at a CAGR of 12.2% from 2022 to 2027, reaching a total market value of $1.1bn by the end of that period.
GlobalData medical data analyst Alexandra Murdoch said medical devices linked to the Internet of Things, have allowed for points of vulnerability as legacy devices possess software and hardware that is not up to modern cyber security standards.
“Legacy devices have been an issue for a while now,” says Murdoch. “Usually big medical devices, such as imaging equipment or MRI machines are really expensive and so hospitals do not replace them often. So as a result, we have in the network these old devices that can't really be updated, and because they can't be updated, they can't be protected.
“To my knowledge at the moment, there isn’t really anything else that can be done other than to replace these machines.”
The difficulty in replacing these devices lies mostly in scale and expense. Hospitals that use large and expensive imaging devices that still work to a standard such as MRI machines might be hesitant to spend millions of dollars on a modern replacement that might cost to update vulnerable firmware.
With more healthcare systems and providers digitising what would once have been in-person appointments and procedures, more opportunities, and points of vulnerability for attackers arise. However, with the increased interconnectivity of devices, these devices propose a risk.
Murdoch says going forward the industry’s focus in terms of cybersecurity needs to be on hardening existing cybersecurity features for new and emerging devices. The post-Covid-19 pandemic rise in telehealth and remote monitoring systems itself presents a series of vulnerabilities.
“[Telehealth apps] gained popularity because of Covid-19, but they are forever going to be used. They are just so convenient. Knowing that we going to continue to use them alongside things like electronic medical record systems and artificial intelligence (AI), I think the focus is more on ensuring that we have cybersecurity in those devices going forward,” Says Murdoch.
Escalation tactics
The rising investment in the cyber security sector has been met with increased developments in terms of the sophistication of cyber-attacks, with some universally available technical advancements such as AI advancing ways that healthcare companies could be compromised.
David Higgins, senior director at international cybersecurity company, Cyberark’s Field Technology Office, elaborated on how advances in technology such as deepfakes and AI-generated voice impersonation leave companies open to a whole new range of threats through complex socially engineered attacks.
Higgins said: “[AI] has worrying implications for the medical industry, as more and more appointments go virtual, the implications of deepfakes is a bit concerning if you only interact with a doctor over a Teams or a Zoom call.
“The main challenge for healthcare is profitability. Before the European Union said that more than 50% of attacks on hospitals were ransomware, and ransomware predominantly is a profit game. Patient records sold on the dark net are more lucrative than credit card records.
“For a credit card record, you are looking at a cost of one to two dollars, but for a medical record, you are talking much more information because the gain for the purposes of social engineering becomes very lucrative. It's so much easier to launch a ransomware attack, you don’t even need to be a coder, you can just buy ransomware off of the dark web and use it.”
According to Higgins, healthcare companies need to be able to ensure that devices and software used in their network can be updated while remaining cost-effective. At the same time, patient data needs to be encrypted and protected from potential attacks while being immediately available to medical staff when needed.
Higgins added: “I don’t think we are going to see a slowdown in attacks. What we are starting to see is that techniques to make that initial intrusion are becoming more sophisticated and more targeted. Now with things like AI coming into the mix, it's going to become much harder for the day-to-day individual to spot a malicious email. Generative AI is going to fuel more of that ransomware and sadly it's going to make it easier for more people to get past that first intrusion stage.”