Cybersecurity in Healthcare: Fighting the Ransomware Pandemic

The onset of the pandemic caused by COVID-19 represented a challenge not only for health professionals who had to care for hundreds of patients infected by the virus, in many cases without being prepared with the necessary equipment, but also for the IT teams, cybersecurity, and biomedical engineers, since the increase in the influx of patients implied a notable increase in the use of prescription systems, billing, telehealth, and of the medical devices connected to them. This increase drew the attention of cybercriminals, who have begun to look to health services as their new target. If the systems can’t be used, then doctors and nurses will not be able to carry out their work, and the personal and clinical information of patients could be left at the mercy of cybercriminals, who seek financial gain first and foremost.

Despite how novel they may seem, cyber vulnerabilities and threats in healthcare are not recent. There have been warnings for several years. For example, vulnerabilities have been discovered in devices that deliver medication to sick patients, or in bluetooth-connected pacemakers, where an uncontrolled change in settings could be fatal to the patient. However, the most common and probably most profitable threat to cybercrime is ransomware.

Ransomware is a type of malicious software that, after compromising a computer, hijacks its information to extort money from the victims, demanding the payment of a ransom, typically in cryptocurrencies, to recover that data. Hijacking consists of making computer files unreadable and, more recently, also stolen, with the consequent interruption of operations. It is enough for someone in the hospital to open a malicious attachment and the files on your computer are stolen and sent to the cyber attacker, and later encrypted so that they can no longer be used.

This type of attack has shown the lack of foresight on the part of the health services, since many hospitals do not have data backups, nor do they have business continuity plans that would allow them to face this adverse situation. Worst of all, these types of attacks on health services have already claimed lives, regardless of whether there are criminal groups that promised not to attack hospitals. The truth is that faced with the possibility of obtaining a large profit, attackers have no qualms.

A ransomware attack could be catastrophic for a hospital in different ways: from the impossibility of having access to the clinical records of patients, to the inability to operate its processes and damage to its reputation, not counting the human and economic losses that this supposes. As an example, the attacks of a notorious ransomware called WannaCry in 2017 left thousands of computers around the world unable to function, including those in dozens of hospitals that for several days could not provide essential health services with the consequent death of patients because of having their systems interrupted.

Nevertheless, the good news is that these problems can be avoided by following a prescription that has been proven effective when applied correctly. It all starts with building a continuity plan that first protects patient data in remote facilities, away from any local infrastructure. In addition, considering that email is the main means of distribution of ransomware, either by direct delivery of malware or by phishing traps that trick users into sites where their access data is stolen and then take advantage of them. That is why cybersecurity awareness campaigns for users, as well as the monitoring and control of remote access to systems, are extremely important to prevent them from falling into this type of deception that could be disastrous. Some hospitals have begun to move their critical data and patient records to cloud infrastructures, that is, managed and secured outside of their facilities. Although this measure represents a great advance in the reliability of operations, it is not entirely infallible, so it is essential to strengthen the security of the infrastructure in the cloud, adequately control access, and keep confidential data protected. Last but not least, frequent backups of files and data are paramount so that in the event of a ransomware attack that renders them unusable, a ransom does not have to be paid because data can be restored from the latest reliable backup.

In the particular case of medical devices, such as insulin pumps, ventilators, and other devices connected to the network, they become especially vulnerable when they are not kept up to date with the latest versions of their software. Traditionally, these types of devices are not included in upgrade plans, making them potential entry points for attackers discovering how to exploit vulnerabilities. It is necessary to constantly install security patches on such devices, just as you would with any other computer.

It would be naive to think that our organizations will not be attacked. Cybercrime has become a lucrative industry, and cybercriminals continue to modernize their techniques and attack at any opportunity that comes their way, and even more because there are still victims who pay the ransoms, which is a clear signal to attackers that there is still business, keeping them incentivized to continue looking for new victims and, in some cases, the same victims over and over again. Just as we seek health on a personal level and seek to immunize ourselves against diseases, our healthcare systems should not be the exception, and they should have the necessary protections to be able to fulfill their mission: to keep patients safe.