Cyberattacks are getting deadlier — and hospitals on the frontline are straining under increasing attacks.
As the Covid-19 pandemic swept the world over the past three years, cybercriminals took advantage of the chaotic situation and repeatedly shut down hospitals’ networks at a time when they were least able to respond. That has meant curtailed emergency services, canceled operations and more deaths.
As cyberstrikes take lives, it’s changing the calculation for how to respond to devastating hacks both at facilities inside the U.S. and in international conflicts like Ukraine. Cyberattacks have long been treated as a lower level of warfare than missile strikes, but as they hit hospitals and get more lethal, that could be changing.
It’s time “to view these types of attacks, ransomware attacks on hospitals, as threat-to-life crimes, not financial crimes,” said John Riggi, the national adviser for cybersecurity and risk at the American Hospital Association. Ransomware attacks — in which hackers encrypt networks and demand payment to unlock them — have been some of the most common strikes against medical facilities.
While numbers for cyberattack-related hospital deaths are hard to come by because of the variety of contributing factors and the fact that deaths can occur weeks or months after an interruption in care, there are some deaths that have been directly attributed to a cyberattack.
A 2021 study from Proofpoint and the Ponemon Institute, which surveyed more than 600 health care facilities, found that mortality rates increased at a quarter of the facilities following a ransomware attack. In 2020, a ransomware attack forced a hospital in Düsseldorf, Germany, to close its emergency department, and a patient died in an ambulance while being rerouted to another hospital. In 2020, a woman sued an Alabama hospital after the death of her newborn baby, alleging that doctors failed to carry out critical pre-birth testing due to a cyberattack on the hospital, which meant the baby was born with the cord around its neck. This led to brain damage and — a few months later — the baby’s death, she argued.
And the pace of such cyberattacks has been increasing.
“Unfortunately, 2022 appears to be another record year in terms of the volume of attacks against U.S. health care and the volume of sensitive patient information which has been either stolen or compromised by these foreign-based cyber adversaries,” Riggi said.
The most immediate damage from most cyberattacks in the U.S. is still to businesses’ profits or people’s data — which hackers often steal. But the government also has a list of 16 “critical infrastructure” categories, including health care, where a cyberattack attack could cause major disruption to civilian services.
The Biden administration is not standing by idly, and plans to make hospital cybersecurity a key priority in the new year. A senior administration official, granted anonymity in order to provide details, said that this could include issuing executive orders to require certain health care cybersecurity standards, or supporting legislative efforts on this topic.
“Hospitals are a very targeted sector … it’s something we’re significantly concerned about,” the official said.
Nitin Natarajan, the deputy director of the Cybersecurity and Infrastructure Security Agency, warned in an interview that there’s an increasing need to focus on cybersecurity at hospitals over the next few years and “as time goes on.”
Even without figures that attribute deaths to hacks, it’s clear that attacks on hospitals have disrupted care at increasingly dangerous levels. In 2022, an attack on CommonSpirit Health, the nation’s second largest non-profit health system, compromised the personal data of over 600,000 patients, including electronic medical records, which allegedly caused one child to be accidentally given five times the amount of medication needed. An attack in November on three hospitals in New York forced doctors to move to paper charts, delaying care.
According to data from the CyberPeace Institute, the average cyberattack on a health care system leads to 19 days of patients unable to receive some form of care. In one case, a cyberattack led to around four months of disrupted medical care.
Charles Carmakal, chief technology officer at cybersecurity company Mandiant Consulting, said his company is currently working to help several hospitals recover from cyberattacks. He noted that “it can often take weeks for the organizations to recover their IT systems and have their caregiving operations return to normal.”
The problem is global. A ransomware attack last year on Ireland’s health care services agency led to a disturbance in patient services for months, including the cancellation of cancer treatment and maternity appointments and of Covid-19 vaccinations. And earlier this month, a hospital in the suburbs of Paris was forced to transfer neonatal and intensive care patients to other facilities after its phone and computer systems were encrypted.
And it’s a dynamic that could come into play as the U.S. and its allies try to figure out how to weigh cyberattacks in war.
Russia’s invasion of Ukraine earlier this year raised fears about the potential that Moscow would launch devastating cyberattacks against Ukraine that would spill into neighboring NATO countries. That could trigger NATO’s Article Five clause — which states that an attack against one member would be considered an attack against all. So far, a cyberattack has never led to this clause being used, but an attack on a health care facility that caused loss of life or serious human suffering could easily build a case for this.
“If a hostile nation state intentionally took down our grid or intentionally targeted hospitals to cause physical harm, then I think at that point all options would have to be explored and all responses to impose consequences on the nation-state involved,” Riggi said of the potential for a cyberattack on health care centers to trigger Article Five.
So far, most attacks against hospitals have been linked to cybercriminal groups, often based in Russia, but not directly to government hackers. Russian cybercriminal group Conti, for example, regularly uses hacks to extort money from hospitals, according to data from the CyberPeace Institute. Conti has connections to the Russian government, but not official ties.
Hospitals and health care groups are aware of the easy target they pose in cyberspace. The Hospital for Sick Children noted that it had prepared for a cyberattack of this nature, which made the response to last week’s attack faster. On an international level, the European Union’s Agency for Cybersecurity held an exercise earlier this year that simulated an attack on a health care system in order to evaluate the EU’s health sector’s attack readiness, similar to an exercise Estonia’s cybersecurity agency held this year.
Natarajan of CISA, who previously served as a director at HHS overseeing critical infrastructure programs, noted that when he originally started working in the hospital cybersecurity space 15 years ago, this was not a topic the health sector was eager to hear about.
“We’d knock on doors and they got slammed shut in our face,” Natarajan said. “I think if we look from there to where we are today, there has been a drastic movement.”
But much still needs to be done. Health care groups and hospitals aren’t always able to fully address cyber threats to their systems and to legacy medical devices.
The senior administration official placed the blame for this on a lack of cybersecurity mandates in this space, and the overall “sector under stress.”
“There’s definitely more awareness,” the official said. “What we haven’t seen that translate to is fundamental cybersecurity improvements.”