Ransomware attacks against hospitals are having direct consequences for patient care as a result of the reduced availability of systems and services when cyber criminals encrypt networks.
According to a survey of healthcare organisations, ransomware attacks have resulted in patients being kept in hospital longer, delays in tests and procedures – and, most disturbingly of all, an increase in patient deaths.
The research into the impact ransomware has on hospitals and patient care was conducted by The Ponemon Institute think tank and cybersecurity company Censinet.
SEE: A winning strategy for cybersecurity (ZDNet special report)
Ransomware is a major cybersecurity issue for all industries, but attacks against healthcare have a huge impact because of the potential consequences for patient care. If a retailer or a supermarket is compromised with ransomware, customers can often go elsewhere for their products – but in the case of hospitals, that's not really an option.
It's why targeting hospitals has become a lucrative business for criminal ransomware operations – the nature of healthcare and the requirement for constant access to systems means that, in many cases, the victim will give in and pay the ransom demand for a decryption key.
The results of the survey, based on answers from 597 IT and IT security professionals working in healthcare, paint a picture of hospitals struggling to protect against and deal with the fallout from ransomware attacks – and all of this at a time when healthcare has been feeling the strain of the coronavirus pandemic.
Just over a third (36%) of respondents at hospitals affected by a ransomware attack saw an increase in complications for patients following medical procedures, while seven in 10 saw delays in procedures and tests resulting in what's described as "poor outcomes". Seven in 10 patients also had a longer stay at the hospital due to the ongoing consequences of a ransomware attack.
One in five respondents who worked at a hospital that had been hit by ransomware said the incident lead to an increase in deaths.
Official reporting that examines the direct impact of ransomware on patient mortality is opaque at best. In September last year, it was reported that a patient at a German hospital died after the facility was hit by a ransomware attack as they were being transferred to another hospital.
Police launched an investigation into the death to determine if the cyber criminals who launched the ransomware attack were responsible for the patient death. However, they came to the conclusion that the patient was in such poor health condition that it was still likely they would have died.
While healthcare is a tempting target for ransomware because of the critical nature of the industry, funding issues around cybersecurity don't help. Hospital budgets are often stretched, meaning that investment in IT infrastructure and cybersecurity can end up low down the priority list.
This can lead to cybersecurity issues like failing to patch known vulnerabilities or updating operating systems to the latest version becoming big problems, both of which can be exploited by cyber criminals to launch ransomware attacks.
Budgets are tight, but if healthcare organisations can invest in the technology and security staff required to help discover and fix vulnerabilities in endpoints and networks, it can go a long way to helping to keep hospitals – and patients – safe from the impact of cyberattacks.
"Our findings correlated increasing cyberattacks, especially ransomware, with negative effects on patient care, exacerbated by the impact of COVID on healthcare providers," said Larry Ponemon, chairman and founder of the Ponemon Institute.
MORE ON CYBERSECURITY
- Ransomware: How the NHS learned the lessons of WannaCry to protect hospitals from attack
- 'Significant' ransomware attack forces Ireland's health service to shut down IT systems
- Hospital devices with unsupported operating systems exposed to hacking
- Four months on from a sophisticated cyberattack, Alaska's health department is still recovering
- Ransomware: It's only a matter of time before a smart city falls victim, and we need to take action now