In May, Colonial Pipeline was hit with a ransomware attack on its computers that forced it to shut down its pipeline operations. It affected the fueling operations at multiple airports and caused many gas stations to run out of gas as consumers panicked. Ultimately, the company paid $5 million to the hackers to regain access to its computers.
Given that the Colonial Pipeline attack occurred during the pandemic, many are naturally left wondering how long before there is a cyberattack that causes a major catastrophe in the healthcare system.
It may only be a matter of time.
Cybercriminals have been increasing their attacks on healthcare systems. In 2020, cyberattacks against hospitals and other healthcare organizations rose 55%, according to cloud security firm Bitglass.
Thus far, cyberattacks on healthcare systems have focused on either getting access to patient records or blocking healthcare workers’ access to those records. Under federal law, patient records are confidential, and cyberattacks that disclose them can open up a healthcare system to costly litigation and enforcement action by the federal government.
Blocking the access of doctors, nurses, and other healthcare personnel to crucial patient records is usually the result of a ransomware attack. A ransomware attack uses malware that encrypts the files on a computer system. The hackers behind the attack then demand ransom to decrypt the files.
These attacks can prove quite lucrative for hackers. Credit company Experian estimated that a patient’s medical records can sell for up to $1,000 on the dark web. A report from the cybersecurity company Soros found that more than one-third of healthcare organizations were hit with ransomware attacks in 2020, and one-third of those paid the ransom.
Peter Pitts, president of the Center for Medicine in the Public Interest, said the quality of cybersecurity among hospitals is far from uniform.
“My experience is that it’s extremely uneven,” Pitts said. “It’s frightening because hospitals share records with each other as well as with doctors’ offices and other third parties. There really isn’t any gold standard.”
The federal government’s role in improving cybersecurity in healthcare has been lacking. The Centers for Medicare and Medicaid Services uses private companies called “accreditation organizations” to certify that hospitals that participate in Medicare comply with federal standards. The accreditation organizations have the discretion to require that hospitals have cybersecurity plans in place, although CMS rules do not require them to do so. A report from the Office of Inspector General released in June found that the accreditation organizations sometimes asked about medical device security at hospitals. Still, they did not require hospitals to have a cybersecurity plan.
“I think the OIG got it right by saying that we’re letting this happen, and we’ve got to address it,” Pitts said. “And I think that the role of the federal government here is to be the chief convener, to bring together all the parties and really hammer out very solid, strident, forward-looking cybersecurity standards. Otherwise, we’ll find ourselves in a world of hurt, and it’s our own fault. And shame on us for something horrible to happen before we really get something done.”
How could something horrible, such as a cyberattack that results in multiple patient deaths, occur?
After the WannaCry ransomware attack shut down 16 British hospitals in May 2017, journalist and digital health expert Bruce Y. Lee wrote that “doctors and other healthcare workers are depending more and more on rapidly getting up-to-date and accurate data on patients.”
He noted that cyberattacks could affect monitoring devices, including ventilation machines, or produce incorrect results in laboratory tests and imaging studies, such as MRIs. They could also cause mix-ups in patient identity so that patients received the wrong treatments.
The coronavirus pandemic raises another possibility. During the recent delta variant surge in the South, many hospitals had to divert patients because they did not have beds for them. What if a ransomware attack crippled the hospitals that did have room for them?
Let’s hope the pandemic ends soon.
