Picture this. You’re a nurse and your 12 hour shift should have finished 40 minutes ago. You go to log out of the PC and you see an email from the consultant asking to send some patient details. You mentally sigh -thinking they should be able to access this themselves but were probably too lazy- and reply with the file. You finish signing off and rush to get to the bus stop in time.
Compared to 2017, cyber attacks on hospitals increased 72% in 2023. Not only have the increased in number, but also severity. This is one of the findings from an analysis of 18,009 cyber attacks on hospitals by Dr Anna Piazza and Dr Srinidhi Vasudevan.
Let’s return to being a nurse. At work the next day after some (albeit limited) sleep, you open your emails, only now do you realise the email you received last night looks a little… well, fishy. You call the consultant who confirms that they did, in fact, not email you. Your heart and stomach sink.
Let’s get familiar with the different types of cyber attacks and see some examples of how they’ve manifested within healthcare. Click on the names below for more information.
Insider Threats
Threat: Moderate.
Risks: Unauthorized data access, sabotage.
Example: In 2022, a previous staff member of BayCare Health System in Florida illicitly accessed patient records of 193,947 patients, resulting in the possible exposure of protected health information (PHI). The breach was attributed to tracking pixels utilized by Advocate Aurora Health, a partnering company. These tracking pixels, typically utilized for targeted marketing and monitoring visitor activity, inadvertently revealed information about patient engagements with BayCare Clinic’s patient portal. Reputation damage: loss of trust and further scrutiny from public, regulatory authorities. Financial Loss: class action against the company. Patient impact: Loss of privacy
Phishing
Threat: Moderate
Risks: Unauthorized access to sensitive data
Example: In 2021, Finnish psychotherapy centre Vastaamo faced a phishing breach, exposing patient therapy records. Patients received ransom emails demanding EUR 200 in bitcoin payment to not expose discussions with therapist to become public. Reputation damage: Loss of trust. Patient impact: Mental distress for patients who sought victim support services.
Distributed Denial of Service
Threat: High
Risks: Loss of critical services, impact on patient care.
Example: In 2020, the University of Vermont Medical Centre suffered a DDoS attack, affecting patient appointments and delaying elective procedures. Financial loss: USDb 1 million.
Ransomware
Threat: Critical
Risks: Data loss, operational disruption
Example: The WannaCry attack in 2017 paralyzed the United Kingdom’s NHS, delaying treatment plans and rerouting ambulances. Financial impact: the attack costed the NHS over 92 million GBP. Patient impact: Over 19000 appointments were cancelled and 34 % of the NHS trusts were disrupted
Man-In-The-Middle (MITM)
Threat: High
Risks: Intercepting sensitive data and/or compromise patient care.
Example: In 2015, UCLA Health System experienced a breach from MITM attack, which resulted in the theft of patient data and the compromise of 4.5 million patients
Wearable Device Exploits
Threat: Moderate
Risks: Unauthorized data access, privacy breaches
Example: 61 million records of individuals containing sensitive health data were inadvertently leaked from an unsecured database from the company GetHealth. Patient safety: Exposure of personal health information breaching privacy and potential harm if data is tampered with
Robotic Surgery Vulnerabilities
Threat: High
Risks: Surgical errors, patient harm
Example: In 2022, a group of researchers simulated cybersecurity attacks that could potentially disrupt a roboticassisted surgery, resulting in unintended incisions. Patient safety: Surgical errors can result in bleeding, infection, and other adverse outcomes
AI Based Attacks
Threat: Moderate
Risks: Misdiagnoses, compromised treatment recommendations
Example: AI-driven diagnostic tools may be intentionally manipulated, leading to incorrect diagnoses. These could be due to the limitations of the AI tool which exacerbate existing disparities and provide biased results. Impact on patient care: Delayed or incorrect treatment.
IoT Vulnerabilities
Threat: Moderate
Risks: Patient safety risks, data exposure
Example: In 2023, Medtronic’s insulin pumps were found vulnerable to remote attacks whereby the attacker can alter insulin dosage to the patients from an adjacent network. Patient safety: Risk of insulin overdose
In 2017, phishing attacks, like the one described, were the most significant threat. However, this landscape has now evolved. Dr Piazza and Dr Vasudevan identify the most critically important form of attack are Advanced Persistent Threats (APTS) a form of ransomware where an intruder gains access to a system but remains undetected for long periods of time, often accessing sensitive data. Table 1 provides a quick summary, with examples, of these different kind of attacks so that you can become (if you’re not already) a bit of a cyber security expert. Now, compared to 2017, most commonly these attacks are ransomware, cyber espionage, cyber terrorism, distributed denial of service and man-in-the-middle attacks.
Hospitals often lack the budget and technical expertise to protect against cyber threats compared to other industries. Just to give two examples of recent cases in the UK with profound damages – the 2017 WannaCry attack affected NHS services with an estimated 19,000 appointments cancelled; the 2022 NHS attack on the 111 service in the UK resulted in deaths and a data breach which led to the release of data impacting over 80,000 people. The European Union’s’ cybersecurity agency estimates that 53% of cyberattacks in the EU are targeted at healthcare organisations.
Dr Piazza and Dr Vasudevan research is critical to bridge the gap in dependable data to show the evolution of these cyber threats in healthcare – without it, healthcare organisations will not be able to effectively counter cyber attacks. Dr Piazza and Dr Vasudevan do this by using multiple methods to map patterns and trends in different attack types and on different hospital types utilising nonconventional databases, social network analysis, machine learning and natural language processing. They find, for example, that enhanced attacks, like cyber terrorism, are most likely in teaching and public hospitals, and less likely in community or children’s hospitals. To read more on the methodology they employed, take a look at the full research article Mapping the Cyberthreat Landscape in Healthcare Using GDELT: A Multimethod Approach | Health Security or reach out to the researchers!
Their approach highlights that whilst healthcare organisations have successfully warded of low level attacks, there is exponential growth in high level critical attacks. The methodology presented by Dr Piazza and Dr Vasudevan provides a framework to help institutions to identify vulnerabilities, anticipate threats and implement proactive measures to mitigate these risks.
AI Disclosure statement: Generative AI was used in to generate the cover image for this article. However, it was not used to write, edit or refine the text within this article.