How Ransomware threatens the hospital
Amid the Covid-19 pandemic, the future implications of cyberattacks are frightening.
Several cybercrime organisations scrambled to convince people that during the Covid-19 pandemic they wouldn't threaten hospitals and other health care services. The operators of several popular ransomware strains all declared they would not attack hospitals, and some even offered to decrypt health care organizations data for free if one was mistakenly infected with their malware. But any cybersecurity technique that depends on the moral compunctions of criminals is doomed to fail, particularly in protecting hospitals' famously fragile information networks.
But it's no wonder that ransomware struck Universal Health Systems late last month, disrupting hundreds of the over 400 healthcare facilities across the U.S. and UK. Or that a related ransomware attack revealed in early October held up clinical trials for a Covid-19 vaccine. Or the loose-knit coalitions of volunteers nationwide are collaborating around the clock to try to secure medical information networks that are now straining under the pressures of delivering health care amid a global pandemic.
Amid the Covid-19 pandemic, the future results of these cyberattacks are frightening. Hospitals who have lost access to their computers or malware compromised their networks will not be able to accept patients in need of medication or may take longer to get the medication they require if they turn to paper records. Drug trials for life-saving pharmaceuticals can be postponed by weeks or months, depending on how long it takes to recover the damaged data and systems. Cybersecurity has never been more important to hospitals than today.
Hospitals were an increasingly common target for ransomware and other types of cyberattacks even before the pandemic, as they need to be able to work continuously, providing 24-hour patient care. Any disruption to their networks must be repaired as soon as practicable, rendering them prime targets for ransomware, where criminals vow to rebuild their services for cryptocurrency payments instantly.
Cyber attacks can also prove fatal: a woman in Germany died in a life-threatening condition last month after a hospital in Düsseldorf was unable to admit her due to a ransomware attack and had to rush her to a hospital 20 miles away. It was the first death that was specifically related to a cyberattack, and the timing was a reminder of how health care networks are extremely vulnerable at a time when many health centers are still struggling to fulfill their workforce and resources demands.
Unfortunately, cybersecurity was never a positive point for healthcare. Hospital networks are notoriously vulnerable due to a combination of insufficient funding, a lack of consistent and reliable cybersecurity protocols and a vast number of individuals and processes involved in running a hospital, many of which require some degree of connectivity to their network. Hospitals often rely on advanced surgical devices including ventilators and M.R.I. machines. Which ensures that if there is a security fix or software upgrade running on a hospital's servers, the hospital must first ensure that the upgrade does not conflict with its ability to connect to certain older devices before downloading it.
Updating advanced medical equipment to be compliant with safer software is often a slow or prohibitively costly undertaking, particularly when buying new devices. But recent attacks indicate that the effects of relying on outdated tech can be financially even more devastating: when the WannaCry ransomware struck Britain's National Health Service in 2017, the virus took advantage of a loophole that many N.H.S. machines were already operating. The N.H.S. claimed WannaCry 's direct I.T cost them 92 million British pounds, or around $118 million. Costs and productivity lost.
Any hospital and clinic should re-evaluate their computing networks right now and beef up their current security to prevent their services from being stolen by ransomware or confidential patient data. This would be a big obstacle at a time when many hospitals are failing financially and very few patients want elective medical procedures.
But cyber-security vulnerabilities in the healthcare sector need to be resolved now, more than ever, as medical care is increasingly being provided through remote, online formats and many hospital-intensive care units are already at capacity, with no opportunity to send patients to other hospitals if their networks are closed. Lawmakers, too, should explore ways to help the healthcare industry in their activities by providing grants to public hospitals for this purpose and establishing consistent safety criteria and specifications, ensuring that hospitals have good motivation to make much-needed changes and can do so.
This will be a critical aspect in learning from this pandemic on all the ways we need to do more in helping our hospitals and health care staff in the future: ensuring not only that they have the requisite resources and services and human capital, but also that they have safe information infrastructure that they will count on in times of crisis.