Cyber-Attacks on Healthcare Institutions on the Rise: Public Health Watch Report

Some 90% of healthcare organizations represented in one study had experienced a data breach in the past 2 years alone.

With news this week that White House officials were fooled by a self-proclaimed “email prankster”—who posed as Jared Kushner, President Donald Trump’s advisor and son-in-law, and recently ousted Chief of Staff, Reince Priebus, during correspondences with various cabinet members—it’s worth remembering that there are cybersecurity implications for healthcare institutions as well.

As noted in a Washington Post report on July 13, 2017, we have entered a “new era of cyber-conflict,” and healthcare is hardly, well, immune. As part of what the Post describes as a strategy of “disruption and constant harassment designed to signal capability and the threat of escalation,” multiple healthcare facilities, from England’s National Health Service to private, university-based hospitals here in the United States, have experienced cyber-attacks, with dramatic consequences.

A commentary published on July 12, 2017 by The New England Journal of Medicine (NEJM) highlights some of the potential hazards. The authors cite a survey conducted by the Ponemon Institute, which found that some 90% of participating healthcare organizations had experienced a data breach in the past 2 years alone, and that 64% had experienced an attack targeting medical files in 2016 (a 9% increase over 2015).

“Multiple causative factors are involved in the uptick in attacks against healthcare systems, but some reasons cited… include low organizational vigilance, inadequate staffing and funding for information technology security, insufficient technology investment, and the underlying value of healthcare data as compared with data from other industries,” the authors of the NEJM commentary write. “Such attacks can render clinical systems unusable, with negative effects on core hospital operations, such as delays in surgical procedures, lab-result reporting, and bed management.”

Perhaps worst of all, according to the commentary authors, healthcare systems have few, if any, real options in the face of such attacks: They can respond to a so-called “ransomware” data breach by paying off the perpetrators (usually in the form of cyber currency such as Bitcoin) or by moving to often unreliable back-up systems that may not have the most up-to-date clinical data. (Imagine treating a patient with a severe infection without their most recent bloodwork.) In another survey cited by the authors, more than 50% of participating hospitals reported suffering a ransomware attack in 2015-2016.

As disruptive as these attacks are to hospital operations—and thus, clinical care—there is another issue: protection of patients’ personal health information. Even in 2017, patients with infectious diseases such as HIV and hepatitis C are still stigmatized and most, if not all, would still like to disclose their health status on their own terms, rather than having it disseminated for them, by an anonymous hacker sitting at a weaponized keyboard.

And so, although email banter among political leaders—both real and fake—might provide some amusement, the overall trend of these attacks is hardly a laughing matter. With these incidents on the rise, hospitals and healthcare practices need to ensure that their own cybersecurity systems are healthy.

Call it a part of patient care in the Internet age.

Brian P. Dunleavy is a medical writer and editor based in New York. His work has appeared in numerous healthcare-related publications. He is the former editor of Infectious Disease Special Edition.