By Jenna Becker
Despite the growing risk of cyberattacks against hospitals, the health care industry has been left to address this issue on their own. Ransomware attacks, named for the fee that these malicious viruses attempt to extract, can be very challenging to address, involving complex cybersecurity protocols.
Unfortunately, many hospitals lack the resources and the time required to prevent this malware from spreading. The government has provided minimal resources to hospital systems looking to enhance their cybersecurity. Resource-strapped hospitals require significant government support to address the growing threat of ransomware.
Why hospitals are targets of ransomware attacks
There are a couple of reasons why hospitals are such a frequent target of ransomware attacks. First, hospital networks are riddled with vulnerabilities. A single hospital may have thousands of devices connected to their network. Not all of those devices are secure. Maybe a hospital has a few medical devices running old Windows operating systems. Maybe a number of devices require security updates, but the hospital does not have the resources to perform the updates. It can be incredibly challenging, and even cost prohibitive, to ensure that every device connected to the network is fully secure.
On top of vulnerable networks, hackers are often able to extract ransoms from health care organizations for resumed system access. Hospitals depend on network access for a host of critical activities, like accessing medical records and updating patient data. Hospitals without access to this information often cannot function normally. These hospitals may divert incoming patients, delaying patient care. This September, a patient in critical condition was diverted from a hospital in Dusseldorf undergoing a ransomware attack. This delayed her care by an hour, leading to her death. To avoid such catastrophic outcomes, hospitals are incentivized to pay ransoms.
Federal agencies have provided guidance to health care organizations facing ransomware attacks. But these recommendations can require significant resources or technological know-how. And even following best practices may not fully protect a hospital system.
For example, these agencies recommend that hospitals store data backups. Some hospitals do maintain complete data backups, despite the expense involved with storing this data and maintaining backup servers. But data copies may be insufficient to bring hospitals back up to normal operations in a timely manner. Restoring data can take a significant amount of time. As noted above, hospitals do not have the luxury of time when caring for patients. And even if a backup is immediately available, hospitals cannot use their backup system until their network is secure.
Regardless of the sufficiency of these standards, best practices alone are not preventing ransomware attacks from taking down hospital networks. This issue instead requires direct support to hospitals.
The government should intervene to help protect our health care system from ransomware attacks. Hospitals may lack the resources and technological expertise required to address this escalating problem on their own. It is insufficient for an agency to provide a list of best practices and leave hospitals to fend for themselves.
The government can use a number of methods to address vulnerabilities. Curtis Simpson, a commentator for The Hill, proposed a number of reforms that could help improve the integrity of devices connected to hospital networks. These include regulatory requirements for improved security, along with standardized device updating procedures.
Mieke Eoyang, a security expert, recently suggested that the U.S. needs to consistently issue indictments for these cyberattacks. Even if foreign nations do not support extradition, she notes that indictments could pressure foreign governments to address hospital hacking.
Finally, with many hospitals financially struggling in the wake of COVID-19, the government could provide financial support to health care organizations looking to beef up their cybersecurity.
Preventing ransomware attacks against hospitals is a complex cybersecurity issue. But our current approach — laying the onus solely on hospital systems — is clearly failing. Addressing hospital ransomware attacks will require government support.