Cybersecurity’s Impact on Hospital Systems

Authored by: Debanjoli Chowdhury

Art by: Fiona Reilly

In recent years, hospitals across the country have been hit hard by increasing cyberattacks, and these threats show no signs of slowing down. Cybersecurity breaches can put millions of patients' sensitive financial and medical information in grave danger. To protect patient private data, healthcare systems often pay large ransoms to cybercriminals, which leaves these systems vulnerable to expensive cyberattacks. In a particularly horrific example, UnitedHealth, an American health insurance company, paid $22 million in ransom to cybercriminals to regain access to sensitive patient data [1]. This enormous payment was one of many cases across the country where hospitals lost a significant amount of money due to a flawed cybersecurity system that left patient information in constant jeopardy. This is a very commonly seen issue since hospitals across the country use electronic medical records and rely on many digital medical devices, especially in anesthesia and intensive care. Ventilators, anesthetic machines, pacing devices, organ support, and a plethora of monitoring modalities are all in danger of being hacked by cybercriminals, which makes this issue incredibly relevant to current times and emphasizes the need to implement improved policies and interventions to target such vulnerabilities in the healthcare systems [2].

In recent news, there have already been multiple offenses against the healthcare system from particularly vicious cybercriminal groups. For example, a group called ALPHV has been involved in multiple recent cybercrime cases. In one alarming instance, Lehigh Valley Health Network refused to pay the ransom amount they demanded from the cybercrime gang ALPHV/BlackCat. In response, ALPHV/BlackCat posted nude photographs of breast cancer patients receiving treatment online, exemplifying both the alarming nature of cybercrime and the consequences of not controlling it, such as the severe violation of patient privacy [3]. Another such attack in 2024 targeted Change, a unit of UnitedHealth Group, which was also hacked by ALPHV/BlackCat on February 21, 2024. This unit handles a third of all patient records in the U.S., which creates a clear and present threat to American security. Thus, certain groups such as ALPHV pose a serious issue to hospital systems in the U.S. and need to be recognized as a real and serious threat that needs to be dealt with.

Many experts believe that cybersecurity has become a larger issue in the healthcare sector because of the inadequate distribution of resources to account for cybercrime. The COVID-19 pandemic had further exacerbated cybersecurity concerns due to healthcare professional’s increased reliance on technology. More specifically, patients’ digital records were exposed to escalated phishing incidents, where cybercriminals trick people into giving away sensitive information. There have also been incidents where hackers install malware into healthcare computer systems that prevent healthcare professionals from accessing their computer files with important patient information. Because of the importance of the patient files, the hackers often demand a high ransom from the healthcare systems for the information to return safely and efficiently [4]. Even post-pandemic, cyberattacks are still a very dangerous reality. Some hospitals continue to use outdated, unsecured networks that leave them vulnerable to cyberattacks. Due to a lack of funding, many hospital systems are using outdated security systems. Thus, current cybersecurity leaves many opportunities for hackers to breach these mediocre systems, which can leave many patients’ data incredibly open to attack. There is a heavy burden that is put on hospitals, especially smaller hospital groups, since they need to invest their money into paying their staff and keeping updated technology, such as MRI equipment, and often cannot afford to pay the hefty sum demanded by cybercriminals. Thus, the growing incidence of cyberattacks has been disproportionately affecting smaller groups that might not be able to afford the damages from the attacks as well as their larger counterparts. 

Despite the frequency and severity of these attacks, many researchers and experts in cybersecurity are calling for further legislation to provide better funding aimed at cybersecurity efforts, especially for smaller practices. For example, the Biden administration called for additional funding of $800 million to help improve hospital systems cybersecurity as part of its recent budget proposal. It is not clear as of present whether this will be passed or not, but there has been optimism surrounding the possibility and what it could potentially do to help with the increased incidence of cyberattacks [2]. If passed, this can help fund many beneficial programs, such as creating cybersecurity education programs for healthcare professionals, since studies show that approximately 95% of healthcare industry breaches result from human error [5]. Experts are also pushing for cybersecurity education to be required teaching material in pre-licensure and advanced practice nursing programs [6].  Despite the dangers that are presented by cyberattacks, many measures are being taken to resolve these issues and hopefully prevent further attacks on the American healthcare system. However, healthcare systems need to improve their security system through comprehensive strategies that can bolster the infrastructure of their electronic databases to protect patient privacy and safety. If they don’t, they face the risk of continuing to endanger patients in the future, which can not only be expensive but also unhealthy and dangerous. 

References

1. Abelson, R. (2024, May 23). Fallout from cyberattacks at Ascension hospitals persists, causing delays in patient care. The New York Times. https://www.nytimes.com/2024/05/23/health/cyberattack-ascension-hospitals-patient-data.html

2. Cartwright, Anthony James. (2023, April 24). The elephant in the room: cybersecurity in healthcare. Journal of Clinical Monitoring and Computing. https://link.springer.com/article/10.1007/s10877-023-01013-5

3. Abelson, R., & Sanger-Katz, M. (2024, March 29). 4 things you need to know about health care cyberattacks. The New York Times. https://www.nytimes.com/2024/03/29/health/cyber-attack-unitedhealth-hospital-patients.html

4. He, et al. (2021). Correction: Health Care Cybersecurity Challenges and Solutions Under the Climate of COVID-19: Scoping Review. J Med Internet Res, 23(4), e29877. https://doi.org/10.2196/29877

5. Jerry-Egemba, N. (2023). Safe and sound: Strengthening cybersecurity in healthcare through robust staff educational programs. Sage Journals, 37(1), 21-25. https://doi.org/10.1177/08404704231194577

6. Kamerer, Jessica L. & McDermott, Donna S. (2023, Aug 11). Cyber hygiene concepts for nursing education. Nurse Educ Today, 130, 105940.https://pubmed.ncbi.nlm.nih.gov/37595324/#:~:text=Nursing%20education%20has%20focused%20on,of%20a%20healthcare%20cyber%2Dattack.