Could patients be at risk during a hospital cyberattack? It depends how far hackers are willing to go, expert says

illustration of closed padlock on digital background representing cybersecurity
Despite escalating threats, healthcare organizations still aren't investing enough resources into strengthening their security defenses, HIMSS' 2020 cybersecurity survey shows. (ranjith ravindran/Shutterstock)

Hospitals are facing a new wave of ransomware attacks even as they also struggle to confront a nationwide surge in COVID-19 cases.

In one recent incident, a cyberattack is believed to have contributed to the death of a patient. In September, a woman seeking emergency treatment for a life-threatening condition died after a ransomware attack crippled a nearby hospital in Düsseldorf, Germany, and forced her to obtain services from a more distant facility, according to media reports.

German authorities are investigating the unknown perpetrators on suspicion of negligent manslaughter, the AP reported.

Could this signal an alarming trend with cyberattacks?

It depends how far attackers are willing to go for financial or disruptive gain, said health IT expert Rod Piechowski, vice president of thought advisory at the Healthcare Information and Management Systems Society (HIMSS).

RELATED: Hospitals hit with ransomware attacks as FBI warns of escalating threat to healthcare

Historically, hackers have threatened the confidentiality of medical information through data breaches where they obtain Social Security numbers or financial data. But if hackers threaten the integrity of medical data, such as by changing laboratory values or hacking a remote medical device, that could pose a very real danger to patients, Piechowski said while speaking to reporters about HIMSS' 2020 cybersecurity survey.

"If they can break into the systems and start to threaten patients if organizations don’t provide some kind of ransom, that’s going to be a dangerous situation. I’m not going to dare to predict, but if you look historically at where we've been, I don’t see it as an impossibility," he said.

The FBI recently issued a warning to U.S. hospitals and healthcare providers of imminent cybercrime threats. The advisory cautions healthcare providers to take "timely and reasonable precautions to protect their networks from these threats."

What the survey found

Despite these escalating threats, healthcare organizations still aren't investing enough resources into strengthening their security defenses, HIMSS' cybersecurity survey shows.

Seventy percent of healthcare organizations reported they had a significant security event in the previous 12 months, with 57% of organizations reporting that they've been hit with a phishing attack, according to the survey, which is based on responses from 168 healthcare cybersecurity professionals.

RELATED: UHS breach shows the dangers facing hospitals with growing ransomware threats

While most of these security incidents resulted in a disruption of information technology or business operations, some respondents reported impacts to clinical care as well.

Nearly 1 in 5 said security incidents disrupted or damaged systems and devices. Delays in care can endanger patient safety. The consequences can be severe, even resulting in patient death, according to the HIMSS report.

What's more, most of these organizations said they did not have effective mechanisms in place to detect patient safety related to significant security incidents. To bridge this gap, healthcare cybersecurity professionals should be collaborating with patient safety professionals within their organizations and vice versa, the HIMSS report said.

Healthcare organizations are lagging in critical security protocols. Only 50% of organizations are conducting comprehensive end-to-end security risk assessments. While this number has grown from 37% in 2019, it still represents an alarming trend, Piechowski said.

When it comes to basic security controls, 89% of organizations use firewalls and 91% had antivirus software, the survey found.

"If you think about how many healthcare organizations there are in the world, even if only 1% don’t have a firewall, that is a lot of opportunity for someone to attack," he said.

During the COVID-19 pandemic, the attack surface for healthcare organizations has grown as employees work remotely from home. At the same time, health systems are heavily reliant on legacy systems, such as Windows Server 2008, Windows 7 and Windows XP. Many of these systems are no longer supported by manufacturers, which leaves them vulnerable to cyberattacks.

RELATED: UHS hit with massive cyberattack as hospitals reportedly divert surgeries, ambulances

Legacy systems are often technically difficult and prohibitively expensive to rectify, but there is an urgent need to upgrade these systems, Piechowski said.

Under-investing in security

One significant barrier is that healthcare organizations are resource-strapped, and budgets may be even tighter in light of the COVID-19 pandemic and decreased revenue streams, the report said.

According to the survey, organizations dedicate only 6% or less of IT budgets to cybersecurity, and that hasn't changed since 2018.

Despite the financial challenges, healthcare organizations need to make cybersecurity a fiscal, technical and operational priority, Piechowski said. That includes upgrading or replacing legacy systems, conducting end-to-end security risk assessments and increasing cybersecurity budgets.

"It comes down to, as individual organizations or as a society, how do we afford to do this in the right way? We are now much more dependent on digital systems and we see the future as being completely digitized," he said.

He added, "I hope it isn't going to take a critical situation. I hope that organizations start to see the huge value in improving their systems. The damage is not just reputational. We’re talking about lives. Healthcare is about protecting lives and health. The boards of directors at these organizations should realize they need to put some money behind it."