Industry News

Cyberattacks on Hospitals May Risk Patient Lives

  • The rising trend of cyberattacks on hospitals poses a danger to patient safety. The number of cyberattacks on hospital systems has nearly doubled in the past five years. 
  • Cyberattacks threaten private patient data at hospitals and can delay care by taking down online records and other vital clinical tools for surgeries or other time-sensitive treatments. 
  • The FBI and American Hospital Association (AHA) have several cybersecurity resources for hospitals to help protect their private data and educate staff on safe internet usage. 

Marcus L. Kearns

Nursing CE Central

March 01, 2024
Simmons University

A rising trend of cyberattacks on hospitals is endangering the lives of patients. In 2023, over 141 hospitals were the victims of cyberattacks, being extorted for over $1.5 million in ransom.

Cyberattacks on hospitals create a breach in private data systems, causing diversions and delays in patient care. These delays can be fatal when nurses and hospital staff lack access to necessary clinical tools.

The American Hospital Association (AHA) and FBI provide resources and tips for hospitals to help protect themselves from cyber attacks, but these protections require resources that not every hospital may have at its disposal.

Learn the basics of cyberattacks, why hospitals are being targeted, examples of the danger these attacks can cause, and how hospitals can protect themselves and their patients.

What is a Cyberattack?

According to IBM, a cyberattack is an intentional effort to steal, expose, alter, disable, or destroy data through unauthorized access to a network or computer system. The attacks can then be used to extort the victims for financial, political, or personal gain.

Cyberattacks happen in three primary infiltration tactics: malware, social engineering, and password theft. These tactics allow attackers, also known as threat actors, to access personal data, assets, and even de-encryption keys for encrypted data.

Why are Cyberattacks Targeting Hospitals?

At hospitals, the most common type of threat actor is a cybercriminal. Unlike other kinds of threat actors who may commit cyber attacks for ideological or emotional reasons, cyber criminals do so for financial gain.

This kind of cyberattack is also known as ransomware and can demand a ransom of up to $40 million. In 2018, hospitals paid an average of $1.5 million in ransom to cyberattacks.

Hospitals historically pay the cyberattack ransom and pay it quickly compared to other institutions because hospitals understand that access to their online network can be a difference between life or death for their patients. 

During an attack, cybercriminals gain access to patient‘s personal information, such as social security numbers, addresses, dates of birth, and health records.

According to Emsisoft, a cyber security firm, cyberattacks on hospital systems nearly doubled in 2023 compared to the previous year (46 to 25 in the United States). Within these systems, 141 hospitals were attacked in 2023, and 70% of attacks resulted in stolen patient information.

Examples of Cyberattacks

To understand the reality of cyberattacks, it is important to understand what these attacks look like on a case-by-case basis and how they damage patient care.

A cyberattack in 2019 allegedly led to the tragic passing of a nine-month-old child. The attack took down an Alabama Hospital’s online system for three weeks, disrupting normal communication and care in the labor and delivery ward.

The parents of the child claim that if the hospital’s system had been online, staff would have been able to more quickly assist the newborn, who was born with her umbilical cord wrapped around her neck. She sustained brain damage that eventually led to her death nine months later.

In November 2023, Ardent Health Services suffered a cyber attack at locations across three separate states. Emergency rooms at affected hospitals were forced to redirect ambulances as they had no way to access patient information or necessary clinical programs.

Last month, a Chicago Children’s Hospital was attacked, causing their entire network to go offline. Thankfully, nurses at the facility were able to transition to physical records.

One family remarked that it was comforting to have a nurse present during their 9-year-old’s infusion, “I would say they’re doing an amazing job in a stressful situation. They did everything they could do to keep us on schedule and make us feel comfortable.” However, the hospital cannot guarantee the safety of its 260,000 annual patients during a cyberattack.

 

How to Defend Hospitals from Cyberattacks

Some say that legislation should ban hospitals from paying the ransom during a cyberattack in hopes of disincentivizing cybercriminals from targeting them. The FBI also advises against paying cyberattack ransoms, as they say it will incentivize cybercriminals to attack more victims.

The American Hospital Association (AHA) has also created a “Preferred Cybersecurity Provider Program” to help hospital administrations pick trusted services when protecting their patient’s data. This is part of a larger AHA effort to educate hospitals on the danger of cyberattacks and provide resources through panels, educational blogs, and more.

These are threat-to-life crimes, which risk not only the safety of the patients within the hospital but also risk the safety of the entire community that depends on the availability of that emergency department to be there.
– John Riggi, AHA’s National 
Advisory for Cybersecurity and Risk

The AHA has 4 key tips to help prepare hospitals for a cyberattack: collaboration, expectations, interventions, and evaluations. These tips emphasize taking a proactive and multidisciplinary approach to invest in evidence-based cybersecurity practices before cyberattacks have the chance to strike.

The Bottom Line

Nurses understand the ethical obligation they have to a patient’s private information, and cybersecurity measures are a natural expansion of this obligation. Cyberattacks also risk the personal information of hospital staff members, expanding the potential harm an attack can cause.

It is vital that hospitals understand the unique damage cyberattacks can cause their patients and take the proper steps to protect personal data. This can be institutional cyber security initiatives as well as individual education for nurses and other staff on how to safely access patient data and protect it from unauthorized access. 

Love what you read?
Share our insider knowledge and tips!

Read More