Hospitals are vulnerable to cyberattacks, but patients are unaware


After being targeted by a cyberattack on Thursday, Southern Ohio Medical Center, a not-for-profit hospital in Portsmouth, Ohio, has canceled appointments for today and is redirecting ambulances. It’s the latest in a string of growing attacks on healthcare institutions over the last two years, a trend that might have major ramifications for patient care.

According to a new analysis from cybersecurity firm Armis, while information technology experts are well aware that the risk of cyberattacks that expose patient data and shut down computer systems is on the rise, patients do not appear to be.

In fact, more than 60% of those polled in the new report indicated they had not heard of any cyberattacks in healthcare in the previous two years.

Despite the fact that cyberattacks on healthcare institutions are expected to double by 2020, high-profile cases such as the attack on hospital chain Universal Health Services, and a big threat from groups deploying the ransomware Ryuk, this is the case.

Experts were surprised by the scale of attacks during the COVID-19 outbreak, claiming that ransomware gangs were targeting hospitals more actively than they had previously. Unlike bank or school attacks, which are very common, these attacks have the potential to injure individuals directly.

Caleb Barlow, CEO of cybersecurity consulting firm CynergisTek, told The Verge last year, “It crosses a line that I think the entire cybersecurity community just didn’t think was going to be crossed anytime soon.”

The Armis report polled 400 healthcare IT professionals and nearly 2,000 members of the general public who could be patients at healthcare facilities around the country.

Despite the modest number of respondents polled, the results show that the general public is unaware of cyberattacks in the healthcare industry unless they have been personally impacted.

While 61 percent of potential patients surveyed had never heard of cyberattacks in healthcare in recent years, about a third of those asked indicated they had been a victim of one.

Assuming that the majority of persons who had been victims of a cyberattack had heard of one, just a tiny minority of survey respondents had heard of cyberattacks in healthcare without having been a victim.

“Attacks on hospital systems aren’t top of mind once they have a direct impact on you,” says Oscar Miranda, Armis’ chief technology officer for healthcare.

A mismatch between people’s understanding of healthcare cyberattacks and their level of worry about the subject was also highlighted in the report. Around half of those polled said they would move hospitals if a cyberattack occurred, and more than 70% said they believed attacks could have an impact on their care.

These fears are well-founded: healthcare institutions claim that ransomware causes delays in patient operations and can result in prolonged hospital stays.

According to a study conducted by the US Cybersecurity and Infrastructure Security Agency, hospitals coping with ransomware attacks during the COVID-19 outbreak reached a tipping point related with extra deaths faster than those that were not.

Healthcare institutions have traditionally not prioritized cybersecurity because many of them lack the financial resources to do so. However, recent rises in ransomware attacks on hospitals, combined with new studies demonstrating ties between cyberattacks and health outcomes, are pressuring organizations to make changes.

According to the Armis poll, three-quarters of IT specialists believe the constant flow of news about ransomware attacks has prompted a push for more cybersecurity spending.

“I do believe we’re making strides in finally actually addressing ransomware,” Miranda says.