Attacks on Medical Industry: 'Global Threat to Health'

Cybersecurity is not just about data and network security; it's about life security.

Cyberattacks can have very personal consequences. We have seen examples of this throughout 2020 with an increase in cyberattacks targeting the healthcare sector due to the pandemic.

The pandemic has also exposed some existing weaknesses and challenges of cybersecurity in healthcare. 

The CyberPeace Institute has released a report detailing how cyberattacks on healthcare are also attacking individuals. The organization believes part of the problem is that the international community is lagging behind the reality of threat evolution and impact.

#1 key finding on cyberattacks in healthcare

The first key finding from the CyberPeace Institute report is that attacks on healthcare are causing direct harm to people and are a threat to health globally.

"When healthcare providers are attacked, it is the people who suffer. While the targets of attacks are most often portrayed as the healthcare organizations or service providers whose data or infrastructure was compromised, the direct victims are healthcare professionals and patients.

Whilst disruption of medical services and IT systems have an immediate impact on the process of patient care, healthcare professionals and patients are also suffering less visible impacts: acute stress from being in an incident response situation, psychological impact of having private information stolen by criminals."

It also notes that attacks on healthcare are creating a loss of confidence in the sector's cybersecurity and erosion of trust in the ability to protect patient data, which all contribute to confusion and harm in society.

#2 key finding on cyberattacks in healthcare

The second key finding from the report is this:

"Attacks are increasing and evolving as they continue to exploit vulnerabilities in the healthcare sector's fragile digital infrastructure and weaknesses in its cybersecurity regime.

The COVID-19 pandemic gave rise to a concerning convergence of malicious and irresponsible behaviors: vaccine research centers are targets of cyberespionage; hospitals are held to ransom with little choice but to pay to maintain operations; healthcare professionals and international health organizations are targeted with a blend of disinformation and cyberattacks aimed at undermining their credibility. As national statistics have shown, data breaches against healthcare in 2020 have increased significantly."

The report also points out three things in regard to the weaknesses of cybersecurity in healthcare:

1. Healthcare has a fragile digital infrastructure
2. Cybersecurity in healthcare is underfinanced
3. Technical and human resource limitations are preventing a healthy information-sharing environment within healthcare.

#3 key finding on cyberattacks in healthcare

The third key finding from the report discusses how attacks on healthcare are low-risk, high-reward crimes.

"Threat actors enjoy near impunity, as attribution and prosecution lag behind. The enforcement and prosecution rate for threat actors involved in attacks on healthcare is extremely low. This stems notably from the underreporting of attacks, from the lack of resources in law enforcement and the judiciary, and from shortfalls in attribution.

In addition, opportunities offered by legal instruments—such as investigative cooperation—and enforcement mechanisms—such as sanctions—are rarely used systematically in the case of attacks against healthcare and are complexified by geo-political agendas in the case of state or state-sponsored attacks."

Researchers also note that attacking healthcare is a lucrative global business. The data healthcare organizations hold includes an abundance of sensitive information, making it a highly profitable target for cybercriminals and nation-state actors.

Recommendations from the CyberPeace Institute

The report offers four recommendations for combatting cyberattacks in healthcare:

1. Document attacks and analyze their human and societal impact.
2. Improve healthcare preparedness and resilience.
3. Activate technical and legal instruments to protect healthcare. 
4. Hold threat actors to account.

For more details on the key findings and recommendations from the CyberPeace Institute regarding cyberattacks on healthcare, you can read the full report, Playing with Lives: Attacking Healthcare is Attacking People.