The Cybersecurity Threat Ailing Healthcare

The Issue:

Data breaches and cyberattacks on hospitals and other healthcare facilities are on the rise. Hospitals and other healthcare organizations are highly susceptible to cyberattacks, including ransomware and data breaches, due to their vast collections of sensitive and valuable patient information, limited resources, legacy software, and need to interface with specialized medical technologies. Additionally, hospitals’ need to resume operations as quickly as possible following attacks in order to continue caring for patients has meant that they often pay ransom demands, causing more criminals to target them with similar such attacks. The resulting attacks on healthcare systems have caused major disruptions to patient care as well as massive financial losses for healthcare institutions.

Reported ransomware attacks aimed at hospital systems nearly doubled from 2022 to 2023.

The Facts:

• Reports of costly and disruptive cyberattacks on health care facilities have been rising over the past few years. During a ransomware attack, malicious software encrypts data on a computer system making it unusable. The criminals will often steal the data from the system and hold the data hostage until a ransom amount is paid. Of the 16 critical infrastructure sectors tracked by the FBI’s 2023 Internet Crime report, healthcare had the highest number of organizations fall victim to ransomware attacks in 2023 (see chart). The number of reported ransomware attacks directed at U.S. hospital systems nearly doubled from 2022 to 2023, indicating that cybercriminals are increasingly targeting healthcare institutions. While it is difficult to know exactly how many hospitals paid the ransoms demanded in these cases, or how much those ransoms were for, charges filed by the US Department of Justice in 2023 against Russian cybercriminals indicate that hospitals paid more than $100 million in ransoms to just one group of cybercriminals. This suggests that hospitals are perhaps more prone to making ransom payments than other types of institutions and may therefore be more likely to be targeted by criminals.
• There are several significant security challenges posed by hospital computer systems. One is that hospitals often have limited resources and expertise to devote to cybersecurity, but this is true at many other types of organizations as well. Another critical challenge for healthcare institutions is that they are often forced to run software that is compatible with older equipment and systems that they rely on for patient care. Trying to update operating systems or other software may cause problems in their systems’ ability to interoperate with older equipment, forcing hospitals to stick with older versions of software to enable compatibility with legacy systems. This makes it harder to install updates or upgrade hospital computer systems, creating major security vulnerabilities.
• Ransomware attacks can cause significant disruptions to patient care. For instance, a 2021 ransomware attack on Scripps Health in San Diego resulted in a loss of electronic health records, imaging systems and telemedicine that impacted hospital operations for four weeks. Clinicians had to revert to manual processes including the use of paper medical records and ambulance traffic had to be diverted to other facilities. Adjacent hospitals that were not directly targeted by the attack were also impacted: They experienced increased emergency department and ambulance arrivals with a concomitant increase in waiting room time for patients and an almost doubling of the number of patients that left without being seen. 
• Hospitals also face more dire consequences in the face of cyberattacks than many other institutions. In some cases, hospitals may have to shut down, or stop admitting new patients, forcing patients to travel further to another facility. In 2020, a hospital in Dusseldorf, Germany, suffered a ransomware attack and was unable to treat patients, so it sent a woman to another city for treatment and she died while being transported to the other hospital. In 2019, a baby born at the Springhill Medical Center in Alabama during a ransomware attack died 9 months later. The mother later filed a lawsuit alleging that her child’s death was due to medical complications that resulted from the delivering doctor’s inability to access timely patient data because of an ongoing ransomware attack. These types of stories indicate the very high stakes that hospitals face when deciding whether or not to pay ransoms, and the reasons that they may often decide to make such payments in spite of the risk of inviting more such attacks in the future.
• Healthcare cyberattacks can also have massive financial impacts, even when they do not directly impact patient care. For instance, in 2024 a ransomware attack on the company Change Healthcare that provides billing software to healthcare providers, cost hospitals billions of dollars because they were unable to use the software they needed to file claims with health insurers. These financial losses can further strain healthcare providers’ IT budgets and make it even more difficult for them to find resources for upgrading and updating their computer systems. Moreover, insurance coverage for cyberattacks can be difficult for hospitals to claim in cases like the Change Healthcare incident where they are not the direct victims of the attack, but are instead suffering the consequences of their vendors’, or in some cases even their vendors’ vendors’, vulnerabilities.
• There are still relatively few regulations and rules that govern healthcare data security, leaving cybersecurity decisions largely at the discretion of individual healthcare providers and organizations. The Biden administration has shown some indications of wanting the Health and Human Services Department to set baseline cybersecurity requirements for healthcare providers, but those efforts are still in their early stages. The administration has also requested $800 million in funding in its proposed budget for 2025 to help provide resources to hospitals that need to improve their cybersecurity.