IRL Impact: How healthcare attacks put lives at risk

Last week we wrote about how the US government is responding to a wave of cybersecurity attacks against healthcare systems. And today, we’re still talking about healthcare – but we want to focus on the real-life impact of healthcare attacks on victims, including hospital patients. 

Cybersecurity is often seen as cyber-only. But attacks like these highlight the reality that cybercrime has very real implications for human lives – and cybersecurity is about protecting people, not computers. 

Ambulance services affected by cyberattacks 

Graham Cluley recently wrote about an attack against the Westchester Medical Center Health Network in New York. The attack affected the computer systems of a number of hospitals and residential care centres, resulting in all the network’s connected IT systems being shut down, before they were gradually brought back online over the course of two days. 

As a result, ambulances had to be diverted to other hospitals – even when that meant longer distances and patient wait times. Although the patients in question still received care, this attack serves as a stark reminder that cybercriminals can have a very serious impact on critical services. 

In July this year in the UK, another attack left two National Health Service (NHS) ambulance trusts without access to their electronic patient records. Those two trusts serve approximately 12 million people. As reported by the BBC, this meant that ambulance crews were arriving at the scene of emergencies without information about patients’ medical histories, allergies, and medications – delaying the process of diagnosing conditions and providing medicines, and potentially putting patients at risk. 

Surgeries and other treatments can be dangerously delayed

In 2022, a ransomware attack delayed patient surgeries and appointments at hospitals across the US. NBC News reported the attack against CommonSpirit Health, one of the largest health systems in the country, which resulted in some systems being taken offline – and accounts directly from patients explained how vital surgeries were delayed. 

And in September 2023, the Wall Street Journal revealed that hundreds of cyberattacks against healthcare organisations this year have forced hospitals to turn patients away. The attacks have disabled equipment, frozen data, taken down internet connections and medical applications, and brought operations to a standstill. 

It’s not that this has never happened before. In 2017, for example, the NHS was ‘left reeling’ from a cyberattack that meant hospitals were unable to perform X-rays or print patient identity data on hospital wristbands; and both scheduled surgeries and emergency services struggled to continue. 

But this year shows that these attacks are becoming more frequent – and the risk to healthcare services is not restricted to the digital realm. 

What are the stats on disruption? 

The impact varies from country to country, and from healthcare service to healthcare service. And it’s important to note that it’s easier to find data on some countries than on others. 

A 2023 survey by the Ponemon Institute (conducted on behalf of cybersecurity firm Proofpoint) found that 66% of healthcare organisations reported disruption to patient care due to cyberattacks, and 88% experienced an average of 40 attacks over the preceding 12 months. 

The average cost of an attack was USD $4.99 million – up 13% from the previous year. 

And supply chain attacks were found to be the most likely threat type to affect patient care. Of the 653 organisations surveyed, 64% had experienced a supply chain attack within the last two years, and 77% of those suffered disruptions to patient care as a result (up from 70% in 2022). 

On a positive note, it does seem that healthcare leaders are working to understand cybersecurity and cyber risks more clearly. Ryan Witt (Chair, HealthCare Customer Advisory Board at Proofpoint) said in a press release, 

“While the healthcare sector remains highly vulnerable to cybersecurity attacks, I’m encouraged that industry executives understand how a cyber event can adversely impact patient care. I’m also more optimistic that significant progress can be made to protect patients from the physical harm that such attacks may cause.”

“Our survey shows that healthcare organizations are already aware of the cyber risks they face. Now they must work together with their industry peers and embrace governmental support to build a stronger cybersecurity posture—and consequently, deliver the best patient care possible.”

More healthcare organisations and patients around the world are experiencing the tangible impacts of attacks against healthcare systems. And that’s not good – but it does mean that cybersecurity is impossible to ignore. 

Healthcare leaders have to pay attention and work closely with cybersecurity experts to increase resilience and improve threat detection. So security improvements in the sector are likely to pick up pace.