Healthcare industry remain at risk of cyber attack
Russia’s invasion of Ukraine has affected pretty much every sector in one way or another, specifically healthcare which is already prone to attack due to the sensitivity of data.
Here, Electronic Specifier looks at how the NHS, and health organisations in the US have had to adapt since the war broke out.
Cyber attacks on critical infrastructure have the potential to cause serious upheaval, and experts have warned that this is a time where the healthcare industry must increase its protection.
Health data can be more valuable than financial information and a cyber attack can take many forms, including stealing and releasing or selling personal information, but ransomware is a key worry. Ransomware is when a hacker locks down networks, demanding the victim to pay a ransom to bring systems back online. In the healthcare sector, systems shutting down would have dangerous consequences.
Also, cyberattacks can make electronic patient charts inaccessible, and cloud based medical technologies can be taken offline, rendering them unusable.
In February, NHS England issued warnings to all organisations to be vigilant and on guard, asking to strengthen their defences against cyber-attacks following Russia’s invasion of Ukraine.
Its trusts were cautioned to ensure their IT systems were “patched and protected, and that immutable backups are in place”. This came following NGSE Chief Operating Officer David Sloman said: “Following Russia’s further violation of Ukraine’s territorial integrity, the National Cyber Security Centre has called on organisations in the UK to bolster their online defences.
The NHS has faced a few successful cyber-attacks, with its biggest being the WannaCry ransomware attack in May 2017. This attack forced more than 80 trusts to shut down their IT systems to avoid or minimis infection which caused operational mayhem. NHS leaders hope that the WannaCry affair acted as a wake-up call for the system, however lack of funding and ageing systems means cybersecurity remains a major threat.
It is therefore important for the NHS to remain on guard and prepare for all types of Russian action. Since a £300m investment in 2018 in cyber resilience, four major cyberattacks have been prevented which otherwise could have caused a catastrophic impact on front line operations.
The day a after Vladmir Putin ordered an invasion of Ukraine, notorious Russian cybercrime group, Conti, announced it would target critical infrastructures of any nations attempting to impede Russia’s military actions. Following this, the US Department of Health and Human Services issued a warning, stating that Conti has attacked health care institutions in the past.
President Joe Biden also warned that there was “evolving intelligence that the Russian Government is exploring options for potential cyberattacks.”
Cybersecurity in hospitals has been a cause for concern for years, long before COVID-19 and the Russian war.
John Riggi, National Advisor for Cybersecurity and risk at the American Hospital associated said US hospitals have been working to prevent future attacks. The industry has trialed electronics and cloud-based services.
At the beginning of 2022, the 2021 Healthcare Cybersecurity Survey, released by the Healthcare Information and Management Systems Society found that 67 out of 167 healthcare cybersecurity professionals had experienced a significant security incident in the past year. What’s more, Emisoft, an antivirus software company found that at least 68 healthcare providers and more than 1,200 sites suffered ransomware attacks in 2021.
In 2021, cancer patients across the US had to postpone treatment after a cyberattack after Elekta, a company that provides software for machines required for radiation therapy, was hacked. This took cloud-based technology for 40 healthcare systems offline.
The healthcare industry was already straying behind others in terms of cybersecurity, in part due many hospitals spending a miniscule five percent of IT budgets on cybersecurity. Often, healthcare organisations don’t spend the money until it becomes too late, that is, after an attack has taken place. COVID-19 has exacerbated this problem, with hospitals investing even less in IT infrastructure.
It is imperative that healthcare organisations and individuals remain prepared as the threat of cyberattacks still exist. Hospitals should have plans in place in case the situation between Russia and Ukraine escalates.