Cyberattacks targeting healthcare are putting patients at unnecessary risk and more must be done to hold the cyber criminals involved to account, warns the CyberPeace Institute, an international body dedicated to protecting the vulnerable in cyberspace.
The healthcare industry has been under increased strain over the past year due to the impact of the COVID-19 pandemic, which has prompted some cyber criminals to conduct ransomware campaigns and other cyberattacks.
Faced with a ransomware attack, a hospital might pay the cyber criminals the ransom they demand in return for the decryption key because it’s perceived to be the quickest and easiest way to restore the network – and, therefore, the most direct route to restoring patient care.
That doesn’t stop the incident being traumatic for staff, who might suddenly find themselves unable to be involved in procedures, while patients may get sent to other hospitals for treatment – something that could prove risky if time is a factor. But even months on from a cyberattack, patient care can remain affected.
“There’s a real-time impact and a long-lasting impact,” Stéphane Duguin, CEO of the CyberPeace Institute, told ZDNet.
“When hospitals and healthcare are hit by ransomware, what is the quality of care you could hope for in these entities like six months afterwards, or one year afterwards? It’s quite concerning because you have more chance to get care of less good quality, if you go into this hospital with a condition, the care might take longer than it did before an attack,” Duguin said.
Because of this, the CyberPeace Institute paper, entitled ‘Playing with Lives‘, argues that cyberattacks on healthcare are attacks on society as a whole, potentially creating threats to human life – particularly when campaigns are targeting hospitals and healthcare organisations during a pandemic.
One of the key reasons why cyber criminals target healthcare is because it’s often based around what the report describes as “fragile digital infrastructure”. Healthcare networks are complex because of the variety of specialist devices connected to them. They’re also vulnerable because of the amount of legacy infrastructure on the network, which might not even be supported with security updates.
It was the continued use of legacy infrastructure across the network that left the UK’s National Health Service (NHS) so vulnerable to the WannaCry ransomware attack. Although a patch was available before the incident, the nature of healthcare meant it was difficult to shut down sections of the network in order to apply the update.
The use of legacy infrastructure is tied to what the report describes as a “resource gap” in healthcare, which means that cybersecurity in the sector is under-financed, making it hard to distribute the necessary resources to fully protect hardware and software across the network.
Ultimately, cyber criminals are carrying out campaigns like ransomware attacks because they’re seeking easy money; extorting funds from hospitals whose networks have been compromised provides a means of gaining exactly that.
Unfortunately, ransomware gangs rarely face consequences for their actions, and Dunguin argues that governments and law enforcement should put more resources into bringing cyber-criminal gangs to justice.
“Government should also play a part in reducing the number of attacks by going after criminal groups and making sure that it’s not a risk-free crime for cyber criminals,” he said.