All hospitals should be concerned about cyber attacks. This is why

Cybersecurity attacks against healthcare are rapidly increasing, taking a financial toll on hospitals as well as patients’ health, according to a new report from Microsoft (MSFT).

Specifically, the industry is experiencing a costly wave of ransomware attacks, a type of software attack that blocks access to a victim’s data unless a “ransom” is paid.

According to Microsoft’s Threat Intelligence team, the healthcare sector was among the ten most affected by ransomware attacks in the second quarter of this year. The disruptions caused by these attacks have cost the industry millions of dollars and led to some patients suffering worse health outcomes – in some cases even fatal outcomes.

“A combination of valuable patient data, interconnected medical devices, and small IT/cybersecurity staff that leaves resources stretched thin can make healthcare organizations prime targets for threat actors,” Microsoft said in its new report.

This fiscal year alone, 389 U.S. healthcare facilities were hit by ransomware, leading to network outages, delays in medical procedures, long wait times and rescheduled appointments. Overall, healthcare ransomware attacks have increased 300% since 2015.

According to an industry report, healthcare organizations can lose up to $900,000 per day due to downtime – and that doesn’t even include the cost of paying the ransom.

Traditionally, threat actors – what individuals or groups that target digital systems and networks are called – followed an unspoken rule not to attack healthcare organizations, but that has changed in recent years.

“Threat actors know that every second a hospital waits, lives could potentially be lost,” Sherrod DeGrippo, director of Threat Intelligence Strategy at Microsoft, told Quartz. “So there’s that urgency and that pressure where the threat actor then has leverage to potentially get a bigger and faster payday.”

Of the 99 healthcare organizations that reported paying both the ransom and the amount paid, the average payment was $1.5 million, while the average payment was $4.4 million.

For example, UnitedHealth Group (UNH), the parent company of the largest US health insurer, confirmed earlier this year that it had paid a ransom in connection with a cyber attack on its subsidiary Change Healthcare.

In February, ransomware group ALPHV breached Change Healthcare, an administration and payments manager, resulting in delayed prescriptions and paychecks for healthcare workers. Change processes 14 billion transactions per year, approximately 6% of all payments in the US healthcare system.

Impact of ransomware attacks on patients

Ransomware attacks not only strain healthcare organizations’ finances, but also jeopardize patient health outcomes. These attacks can severely disrupt patient care, affecting not only the affected hospitals but also nearby facilities, which may become overwhelmed by the influx of displaced emergency patients.

“If a hospital is bailed out, they can’t treat patients, but then the hospitals and surrounding areas have to accommodate all the incoming patients that would have gone to the bailed out hospital,” DeGrippo said.

A study from the University of California, San Diego looked at how a ransomware attack on four neighboring hospitals – two that were directly attacked and two that were not affected – led to longer wait times and added pressure on time-sensitive care.

A ransomware attack led to a more than 35% increase in emergency medical services arrivals at unaffected hospitals during an attack, according to the study. Patient volume increased by 15% in these hospitals.

This put additional pressure on the entire healthcare system in the area and also resulted in an increase in strokes and heart attacks by 113% and 81% respectively.

Why the healthcare sector is so vulnerable

Errol Weiss is the chief security officer of Health-ISAC, the industry’s information sharing and analysis center. The group provides healthcare organizations with the tools to share information about cyber threats. Weiss describes it as a “virtual neighborhood watch program.”

Weiss has worked in cybersecurity for more than 25 years. He said one reason health care is particularly sensitive goes back to the 1990s, when the industry first started switching to using electronic records.

“I think the focus for those organizations at the time, when they invested in all these electronic health record systems and moved all the data onto those platforms, was on complying with HIPAA regulations and making sure those medical records remained private. , but not necessarily safe and there is no investment in safety,” Weiss said.

Since then, the industry has not invested enough in cybersecurity, leading to under-resourced teams.

DeGrippo said it is often an organization’s IT team that is tasked with taking on security roles, resulting in situations where teams responsible for fixing a printer or resetting a password are also required to expect them to handle ransomware attacks.

“These employees are not really prepared to perform large-scale ransomware recovery and protect a healthcare organization from ransomware,” DeGrippo said.

She added that one of the most important things organizations can do to tackle ransomware attacks is to understand what actions to take in the event of an incident. This includes knowing who is in charge of the response, and knowing everyone who will need to sign off on a decision.

Weiss recommended that organizations stay abreast of software updates, back up and test their data, and ensure they use multi-factor authentication for remote access to accounts.

“With hospitals and healthcare systems so focused on urgency, every second could result in someone’s life being lost. They need to look at ransomware events the same way,” DeGrippo said.

For the latest news, Facebook, Tweet and Instagram.