Home of internet privacy

Why hospitals are getting more cyber attacks

This post was originally published on December 14, 2020.

Over the course of 2020, the Covid-19 pandemic has eroded privacy, digital security, and digital freedoms around the world. And in recent months, the effect of the virus’s rise on hospitals has come into focus.

The healthcare industry has found itself in the crosshairs of cyber attacks at a rate we haven’t seen before. In September, the seriousness of this issue was highlighted by an incident in Germany in which a woman died in an ambulance after a ransomware attack forced Düsseldorf University Hospital to close its emergency room and divert patients elsewhere.

[Get cybersecurity news sent to you. Sign up for the ExpressVPN Blog Newsletter.]

A month later, U.S. agencies including the Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, and Department of Health and Human Services co-authored an advisory that warned of an imminent threat to hospitals in the country. This came off the news that the U.S. encountered 313 ransomware attacks on healthcare organizations in the third quarter of 2020, up from 158 in the second quarter.

This is a trend, and one that ranges from damaging to deadly. But why now?

What makes hospitals an appealing target for cyber attacks?

Although hospitals’ cyber attack vulnerability is a salient news item at the moment, it’s been an under-discussed issue for years, especially considering how dire the consequences of these attacks can be.

There are a number of factors that make hospitals susceptible to bad actors, particularly when it comes to ransomware. The first is the high-stakes nature of the work they do. For many businesses, it’s possible to pause operations and consider all the options on the table if they’re hit with a ransomware attack. If a hospital presses the pause button, that could have tragic consequences. That in theory would make them more willing to pay than most targets.

Another reason hospitals might be targeted is they house a large quantity of valuable, sensitive data on patients—which can be the direct target of ransomware in and of itself. They also contain a vast array of devices providing a number of entry points to their networks, and their staff is rarely trained in cybersecurity. Even if they are, that understandably ranks low on their list of priorities.

Also, the nature of workflow in a hospital demands that data be easily accessible and rapidly shareable in order for different departments to consult on a patients’ treatment plan and give them the best care possible. This accessibility could come at the expense of cybersecurity.

How has Covid-19 made things worse?

The current pandemic has made life considerably more difficult for healthcare professionals around the world. A survey by Medscape revealed in September that 64% of U.S. doctors say the Covid-19 has intensified their feeling of burnout.

The effect of that burnout on an issue like cybersecurity is difficult to quantify. But when simply getting through the workday is hard enough, it’s less likely for hospital workers to remain vigilant on any secondary aspect of their job. A fraudulent email that would never fool someone in 2019 might just get them in 2020.

Like in many industries, healthcare workers are working from home more, which can create cybersecurity vulnerabilities. Home networks are often less secure than those at hospitals, and cyber criminals can try to use “island hopping” to gather information and credentials, even if the worker’s primary laptop is connected to a work VPN.

The combination of an overwhelmed workforce onsite and a more vulnerable one at home exacerbates all the cybersecurity issues hospitals are already dealing with. It’s a situation that’s not going to change for at least months, and in some places it’s getting worse.

What can be done?

A lot! Healthcare facilities, and indeed every organization, should invest in cybersecurity and take measures to protect their networks. Start here to learn more.

Read more: Lockdowns highlight our “right to repair”