The UK’s NHS was one of the key casualties of the WannaCry ransomware cyber-attack that struck organizations worldwide on 12 May, 2017.
The spread of the malicious software, which blocks access to data and demands money in return for restored access, has been described by Europol as unprecedented in its scale.
The attack led to chaos and disruption across many NHS trusts, with staff unable to access patients’ medical records and appointments and operations being cancelled.
Rapid rise in cyber-attacks on healthcare industry
Cyber-attacks on healthcare organizations are growing at an alarming rate. In 2016 there were 93 major cyber-attacks on healthcare organizations in the US, representing an increase of 63% on the previous year.
On a global scale, healthcare is now the most frequently targeted industry for cyber-crime, receiving even more attacks than the finance industry in recent years.
Easy target for cyber criminals
Mounting demands from increasingly aged populations have increased reliance on technological solutions capable of enhancing the accuracy and efficiency of patient care over the past decade.
This includes usage of electronic health records and remote monitoring devices that can aid in the management of chronic health conditions such as cardiovascular diseases and diabetes.
However, in many cases insufficient advances have been made to the security systems designed to protect patient data, resulting in the industry becoming an easy target for attacks.
In a survey of IT and IT security practitioners in healthcare organizations, only 33% rated their organizations’ cyber security as very effective.
Insufficient staffing and finances, a lack of collaboration with other functions, and a failure to recognize cybersecurity as a priority were cited as key barriers to the implementation and management of effective systems.
Healthcare information highly valued by hackers
Healthcare records often contain multiple types of sensitive information, including a patient’s name, address, date of birth, national insurance number and medical history.
For those committing fraud and identity theft, this wealth of information is invaluable.
This is particularly the case as this type of information often cannot be changed following a data breach – unlike other types of information such as credit card numbers.
Indeed, healthcare records typically sell for much higher prices on the black market in comparison to credit card numbers.
Moreover, timely access to healthcare data is imperative for the health and safety of patients.
In extreme cases such as emergency operations, loss of access to a patient data could be life-threatening.
This gives hackers with a strong incentive to hold healthcare data to ransom.
In February 2016 a US hospital paid hackers $17,000 in the digital currency Bitcoin to release its data.
Increased levels of investment in cyber security are urgently needed across the healthcare industry in order to provide the expertise and resources required to prevent compromises to patient safety and security.
Security stocks have surged in the wake of the recent ransomware attack, indicating that the scale of the breach has prompted an attitudinal shift in the importance of cybersecurity and the need to increase organizational resilience.
Healthcare, which has traditionally lagged behind other industries in this area – but arguably has the most at stake – must be at the forefront of this change.