Ryan Witt, Proofpoint’s Healthcare Cybersecurity Leader, examines the impact of ransomware on patient care.
In the last two years, COVID-19 has occupied healthcare providers’ minds — rightfully so, considering the pandemic’s tremendous toll on patients. But another threat that causes immense harm gets less attention: ransomware. While ransomware attacks receive lots of headlines, the irreparable damage that this threat could cause patients is often missing from the discussion.
Cyberattacks are a different kind of a pandemic that’s substantially increased over the last several years. They have become an everyday reality for the healthcare sector. Healthcare leaders understand cyber threats are a “new normal.” But the cyber-risk conversation typically centers on the bottom line, such as the costs of mitigation, noncompliance, or lawsuits.
For a sector whose mission is to improve our quality of life, it’s surprising that the top cybersecurity concerns revolve around financial losses. Healthcare leaders, physicians, and other care providers need to look at cybersecurity risks through a new lens — patient health and safety.
Ransomware and Health Professionals Promise to ‘Do No Harm’
Healthcare professionals devote their attention to protecting patients from harm. In today’s digital world, this mandate is no longer limited to direct-care delivery. A ransomware attack puts patients physically at risk and might be as devastating as a life-threatening disease.
Consider the attack that crippled operations at the University of Vermont Medical Center (UVMC) in the fall of 2020. After ransomware shuttered access to systems like electronic health records for almost a month, UVMC’s cancer center had to turn away hundreds of chemotherapy patients.
The cancer clinic largely served rural areas, so the cyberattack not only left many of those patients with fear, anguish, and tears but also with no treatment alternatives. The New York Times quoted one nurse as saying, “To look someone in the eye, and tell them they cannot have their life-extending or lifesaving treatment, it was horrible, and totally heart-wrenching.”
Stories like those of the UVMC patients rarely unravel in public, but they’re far from unique. A recent Ponemon Institute report (PDF) found that a ransomware attack hit 43% of surveyed healthcare delivery organizations in the past two years. Consequences included poor outcomes because of procedure or test delays (experienced by 70% of hospitals affected by ransomware), increased complications from medical procedures (36%), and a rise in mortality rates (22%).
Rethinking the Importance of Cybersecurity
ECRI, a nonprofit focused on patient safety, named cybersecurity attacks the top health technology hazard (PDF) for 2022. The factors that influenced the ranking included severity, frequency, breadth, and preventability. The ECRI report drove home the point that cybersecurity incidents “don’t just interfere with business operations — they can disrupt patient care, posing a real threat of physical harm.”
Expect this risk to loom large as threat actors target the sector at an alarming pace. UVMC is a case in point — just days after U.S. government officials warned about imminent cyberattacks by Russian hackers on American hospitals, they hit the medical center. It wasn’t the first such alarm.
Cybersecurity, of course, is not a fresh problem for the sector. IT and cybersecurity professionals have long sounded the siren that healthcare is behind many other industries in implementing robust defenses. But ransomware threats shine a new light on cybersecurity inadequacies because the impact on patients is immediate, and the harm is much greater than something like a data breach.
It’s time for both decision-makers and healthcare delivery professionals to comprehend the human benefits of cybersecurity and the human loss when it is absent or fails. Patients come to hospitals or clinics expecting treatment, often urgent. If the healthcare providers can’t deliver those services because cybercriminals hijacked their systems, they’re violating patient trust, as well as putting lives in danger. Considering the rapid growth of cyberattacks in the sector, life-altering scenarios like those we saw at UVMC will become common.
Investing in What Matters
Cybersecurity is not an easy problem to resolve in any sector, but even more so in healthcare. The complexities of the environment, with connected medical devices, multiple locations, and legacy systems, create many challenges. And it doesn’t help that a typical healthcare organization has a minimal IT budget that is far from adequate for implementing effective cybersecurity solutions.
Leaving IT teams with few resources to defend against cyberattacks is no longer an option. While healthcare organizations allocate most of their funding to the delivery of care, they also need to realize that in today’s environment, care delivery relies not only on medical equipment and personnel but also on strong cybersecurity defenses. If cybersecurity is a low priority, the delivery of care will suffer.
How can you compel decision-makers to view their responsibility through a new lens? Start by telling them the stories they need to hear. The story about the mother of two who was denied her lifesaving treatment. Or the nurse who compared working at a medical center in the grips of ransomware to working at a burn unit after the Boston Marathon bombing. Or the mother who blames a ransomware attack for the death of her baby.
These are not scare tactics. They are the kind of messages that help translate cybersecurity risks into human impacts. If that doesn’t compel the board of directors or other decision-makers to make investments into cybersecurity, what will?
Ryan Witt is Proofpoint’s Healthcare Cybersecurity Leader.
Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite.