The rising tide of cyberattacks on healthcare systems
The cybersecurity landscape within the healthcare sector is facing an unprecedented level of threat, with attacks growing both in frequency and severity. Notably, Rick Pollack, President and CEO of the American Hospital Association (AHA), described the Change Healthcare cyberattack as “the most significant and consequential incident of its kind against the US healthcare system in history.” This incident starkly illustrates the escalating challenges that cyber threats pose to healthcare operations and patient safety.
The February cyberattack on Change Healthcare, the largest US billing and payment system, severely disrupted the processing of millions of patients’ prescriptions and other services, delaying access to crucial medications and care. Even two months post-attack, an AHA survey indicated that numerous medical practices were on the brink of closure due to the financial impact of unpaid claims, thereby endangering patient access to medical services.
This is not an isolated event; the healthcare sector has witnessed several crippling cyberattacks over recent years. For instance, in May 2017, the global WannaCry ransomware attack disrupted a third of hospital trusts across NHS England, resulting in the cancellation of nearly 7,000 appointments and rendering medical staff unable to access vital patient data. Moreover, in May 2021, a ransomware attack on Ireland’s Department of Health and Health Service Executive affected over 80% of their IT infrastructure, compromised the personal data of almost 100,000 individuals, and led to widespread service cancellations.
The financial aftermath of these cyberattacks can be staggering. The Change Healthcare hack alone is estimated to potentially cost up to $1.6 billion. According to the European Repository of Cyber Incidents, there has been a significant global increase in cyberattacks on healthcare, with reported incidents rising from 32 in 2022 to 121 in 2023.
The increasing reliance on interconnected digital technologies such as electronic health records, medical devices, and AI-supported diagnostic tools, especially accelerated during the COVID-19 pandemic, has heightened vulnerabilities. Many healthcare providers continue to utilise outdated technologies, increasing susceptibility to attacks. The complex digital interconnectivity within the sector provides cybercriminals with numerous potential entry points to exploit, posing a formidable challenge to system security.
Despite the critical need for robust cybersecurity measures, investment in this area remains insufficient. A recent survey by the Healthcare Information and Management Systems Society revealed that US healthcare organisations allocate only an average of 7% of their spending to cybersecurity, significantly lower than the 11-12% average across other sectors. This underinvestment is even more pronounced in low and middle-income countries, where the lack of infrastructure and regulatory frameworks exacerbates the risks.
The healthcare sector must prioritise the advancement of cybersecurity to align with or surpass the protections afforded in other critical infrastructure sectors. Enhanced research into the specific risks and vulnerabilities faced by healthcare systems is essential, along with strategic planning to mitigate these risks effectively. Furthermore, simple yet critical security practices, such as implementing two-factor authentication and educating about phishing scams, are vital steps in safeguarding against potential cyber threats. As the landscape of cybersecurity evolves, the focus must remain firm on protecting the integrity of healthcare systems and the safety of patients, affirming that cybersecurity is not merely an IT concern but a fundamental healthcare imperative.