Lifesaving technology, CT scanners, MRIs and heart monitors can all be targets for cyber criminals.
Hackers are targeting hospitals at alarming rates, with 6 in 10 health care companies hit by ransomware attacks in the past year. Cyber criminals can hijack a hospital’s operating system, preventing access to data until a ransom is paid, paralyzing hospital systems for days.
“When hospitals are attacked, lives are threatened. That’s the bottom line,” said John Riggi, the cybersecurity and risk national advisor for the American Hospital Association.
Ransomware is their biggest concern now because it has the biggest impact on patient safety, he said.
“These are not white-collar crimes. These are not data-theft crimes. These are threat-to-life crimes,” Riggi said.
Anne Wolf told NBC her long-scheduled open-heart surgery was delayed after doctors lost access to her medical records in November. Arden Health Services, which oversees 30 hospitals in six states was hit by a ransomware attack.
In August, Prospect Medical Holdings, which owns 170 medical facilities, took its national computer systems offline after they discovered a ransomware attack. Patient treatments were canceled, outpatient facilities closed and doctors had to use pen and paper instead of computers to record patient data.
And in 2016, MedStar Health, which serves hundreds of thousands of patients in the D.C. area, was hit with a ransomware attack. It forced the health system to shut down computers and cancel patient appointments, including putting off life-saving treatments such as radiation therapy.
“These devastating attacks basically take over a hospital network, rendering it incapable of delivering care,” said Dr. Christian Dameff, an emergency physician who also is a hacker and security researcher at the University of California, San Diego.
Preparing to continue operations if systems go dark
Dameff's team conducted several simulated ransomware attacks to see just how equipped doctors and hospitals are if their entire system goes dark.
“We interviewed the doctors afterward and said, ‘How do you think that went?’ And they said, ‘I would have never imagined a world where I had to take care of patients without all of this connected technology. And when it’s not there, this patient would have suffered consequences of this, up to death, potentially.’”
According to the American Hospital Association, many hospitals are prepared to continue operations without any technology for up to 72 hours, with some for about as long as 96 hours
Cybersecurity experts say that’s not enough. They believe hospitals should start developing downtime procedures to sustain a full loss of technology for up to 30 days.
How close are hospitals to reaching that goal?
“Quite frankly, we’re in the beginning stages,” Riggi said.
'Cat-and-mouse game'
A number of security measures are in place. Hospitals have begun boosting their cybersecurity budgets and hiring staff where they can. Some have ransomware insurance in the event of an attack, all in an effort to fight back against an invisible threat.
“We can't even begin to imagine the types of cybersecurity attacks that will come into being in five or 10 years,” Dameff said. “I mean, it's going to be this cat-and-mouse game where malicious hackers will continue to innovate and we're going to have to continue to play catch-up.”
While the threat to hospitals is increasing, cyber security experts say personal medical devices with Wi-Fi connectivity are potentially vulnerable too. These include medical devices such as pacemakers and insulin pumps. Though there are no known cases, the Food and Drug Administration, which regulates these devices, isn’t waiting; the agency formed the Medical Device Cybersecurity Team to protect patient safety and help mitigate risks.