On the computer systems of healthcare institutions are troves of highly confidential data. From patient diagnoses and medical records to the operating technology for specialised equipment, all of this is required to be in good working condition for hospitals to conduct their day-to-day operations.
Yet, these sensitive systems are generally not well-protected.
Cybercriminals are keenly aware of this, and they seek to exploit it.
In Ireland and the UK, it is not only that these systems are poorly protected, but most of the healthcare data in the region is also centralised. As a result, it only takes one bad click in an email for a ransomware group to plant its malware institution-wide, taking confidential data hostage to demand a grossly high price for ransom. According to Check Point, UK organisations collectively experienced a surge of cyber-attacks in 2022.
Healthcare institutions are no exception. In fact, the highly confidential nature of healthcare data makes this sector a particularly lucrative target for threat actors. In 2021, the healthcare sector was the third most targeted of all the sectors, with an increase in cyber-attacks of 74%.
Moreover, in 2021, the largest known malware attack against a healthcare computer system occurred against Ireland’s Health Service Executive (HSE). The HSE is a publicly funded healthcare system under the Irish Department of Health, with 54 hospitals existing under its authority.
How did the attack happen? A single employee clicked on a bad link in a phishing email and in one fell swoop, the Russian gang, Wizard Spider, had implanted the infamous Conti malware into the healthcare service’s wider systems. For eight weeks, this malware roamed in silence. Once activated, 80% of HSE’s IT environment was effectively shut down and encrypted. Diagnostics, medical records, and emails were all inaccessible. Critical medical procedures within hospital wards ranging from psychiatry and maternity to oncology and paediatrics needed to be cancelled. Without access to internal records, how could doctors and nurses treat patients? The sensitive sector of healthcare was under huge attack.
While no ransom was paid by HSE, 700GB of sensitive data was stolen. Eventually the hackers dropped the decryption key, but it took another six months for servers to be entirely decrypted. This attack cost HSE upwards of €750 million, including an overhaul of the entire system.
While the largest cyberattack against a healthcare organisation in the region to date, it is far from the only one, and it will unfortunately, not be the last. In June 2023, an attack against the University of Manchester resulted in the exposure of data for over 1 million NHS patients. In 2017, the NHS was attacked by WannaCry ransomware which encrypted over 200,000 system computers, resulting in inoperable equipment and far-reaching appointment cancellations, not to mention the closure of emergency rooms. This one cost €92 million.
Looking beyond financial loss, however, cyber-attacks against healthcare institutions have even graver consequences. According to a survey of a hundred healthcare sector cybersecurity managers in the UK, 65% said that they believed a cyberattack against their systems could result in a loss of life. Think: emergency rooms and dispatchers shut down, cancer treatments cancelled, psychiatry records inaccessible, maternity aid impossible.
What’s more, is the severely growing threat of nation-state actors. We are well used to the tried-and-true cybercriminals seeking to infiltrate servers to achieve their millions of pounds of ransom, but attacks from state-aligned groups are less predictable. In April 2023, the NCSC issued an alert to critical national infrastructure (CNI) organisations with a warning against this emerging threat. The healthcare sector along with those of energy, food, government, water, and others are all under an increasing threat mainly by the following nations: Russia, China, North Korea, and Iran.
State-aligned actors are not motivated by finances, only by destruction. If war wages and a nation wants to cripple the United Kingdom or Ireland (or any country globally, for that matter), it only needs to target the under-protected healthcare institutions of the region. You can imagine that the resulting impact will be devastating.
So, healthcare organisations are often entirely under-prepared to deal with cyberattacks. They are too focused on, well, healthcare. But what can they do to prevent and recover from these attacks?
Interestingly, despite how severe the consequences of these attacks so often are, the methods used are typically very well-known. Phishing, social engineering, and credential theft are the most commonly used points of entry for cybercriminals, not to mention unpatched software and system configuration errors. Common problems with extraordinary consequences. With the correct steps, however, a solution for the vulnerable healthcare sector may be found.
Human error is often the root cause of these attacks, as we can see with the example of the HSE attack. For that reason, it is integral that healthcare institutions require security awareness training for all employees who have access to the organisation’s computer systems. Paired with keeping systems up to date, and overall, maintaining cybersecurity best-practices, healthcare organisations in the UK and Ireland may be able to prevent such catastrophic malware attacks from occurring in the first place.
In healthcare, the first priority is and always will be the saving of lives. But with cybercriminals increasingly targeting critical healthcare institutions with malware, it is important to remember that lives cannot be saved if computers are down, the equipment inoperable, and emergency rooms closed.
By Javvad Malik, lead security awareness advocate at KnowBe4