Healthcare systems worldwide have increasingly turned to digital solutions to bolster clinical quality and cost-efficiency. The rapid adoption of technologies like electronic health records (EHRs), telemedicine, and Internet of Things (IoT) devices has streamlined operations, yet it has also expanded the attack surface for cybercriminals. With sensitive patient information at stake and security measures often inadequate, healthcare infrastructure has become a prime target for cyber threats.
The growing threat landscape
The healthcare sector faced one of its most significant and devastating attacks in May 2021, when the Conti Ransomware Gang breached the Irish Health Service Executive (HSE). This breach occurred when an unsuspecting end-user opened a phishing email, unwittingly downloading malware that provided access to the network. Once activated, the Conti ransomware had a profound national impact. Approximately 80 per cent of the system's data was encrypted, resulting in the national diagnostic imaging platform becoming inaccessible and the suspension of radiotherapy services in five major centres. The loss of access to patient details, appointments, and medical records forced over 50 per cent of acute hospitals to postpone outpatient appointments and elective clinical investigations and interventions. Consequently, many organisations had clinical staff resort to paper-based processes to maintain essential clinical services.
“Healthcare tends to be targeted more frequently because it is a critical piece of infrastructure. Disruptions could have life-threatening consequences,” says Richard Hummel, Senior Threat Intelligence Manager at cybersecurity solutions firm, Netscout. ”Threat actors rely on this urgency, knowing healthcare administrators are more likely to pay ransoms to restore critical services than other industries.”
More recently, in June 2023, St. Margaret’s Hospital, a small rural hospital in Illinois, closed its doors permanently in the aftermath of a 2021 ransomware attack. While cybercriminals have targeted hospitals of all sizes, analysts note that certain ransomware groups focus on smaller hospitals because of their weaker defences. Exacerbating the issue, health systems are grappling with a shortage of skilled cybersecurity professionals. According to a 2022 survey, 61 per cent of healthcare professionals cite the lack of tech staff as the number one barrier to achieving a robust cybersecurity program.
“Cybercrime in all its forms is evolving and growing. The COVID-19 pandemic made this visible,” says Glen Prichard, Chief of Cybercrime and Anti-Money Laundering section at the United Nations Office on Drugs and Crime (UNODC). This highlights how vulnerable patient safety is to cyberattacks, “and how much work we all have ahead to secure lives,” he adds.
The global impact of cybersecurity threats
“Institutions are being targeted by a variety of cybersecurity threats: ransomware, supply chain attacks, and social engineering are all up,” Netscout’s Hummel adds. “Additionally, hacktivists involved in geopolitical issues are leveraging DDoS attacks to put pressure on critical national infrastructure, like the healthcare industry, to create chaos and force political change. We have seen a 14 per cent increase in healthcare targeting.”
The healthcare industry reported the most expensive data breaches in 2023, averaging US$10.93 million per incident, nearly double the cost in the financial sector. Safeguarding these digital assets is paramount to preserving the confidentiality, integrity, and availability of patient information. The interconnected nature of modern healthcare systems means that a breach in one area can compromise the entire infrastructure, posing direct risks to patient safety. To maintain operational continuity and prevent cascading failures, bolstering cyber resilience is imperative.
Cybersecurity investment in healthcare often trails behind other industries. IBM’s 2023 Cost of a Data Breach report indicates that the healthcare sector allocates only six to 10 per cent of its overall IT budget to cybersecurity. Despite the escalating costs associated with data breaches, only 51 per cent of surveyed industries anticipate increasing cybersecurity spending after a breach, highlighting a concerning trend.
Healthcare organisations with incident response (IR) and testing teams in place experienced an average cost savings of US$2 million compared to those without such resources, according to IBM. Organisations that leverage artificial intelligence (AI) and automation in cyber threat reduction achieved substantial cost savings of US$850,000 compared to the global average breach cost.
The Middle East in focus
Cybersecurity incidents in the Middle East have surged to a record average cost of US$8.07 million per data breach, a notable increase from US$7.46 million in 2022. This figure stands significantly higher than the global average of US$4.45 million per incident, positioning the Middle East as the second-highest region for data breach costs, trailing only behind the USA.
According to Sameer Chauhan, Director of the United Nations International Computing Centre (UNICC), these attacks are a wake-up call for the entire industry. “As the primary provider of shared cybersecurity services to the UN system, UNICC stands on the frontlines protecting our UN family against sophisticated cyber-attacks," he says. He suggests bolstering cybersecurity in the healthcare sector by leveraging shared cybersecurity capabilities, "similar to UNICC's shared threat intelligence and cybersecurity resources for the UN system. We stand ready and eager to guide them in this regard.”
Several nations in the Middle East, including the UAE, Bahrain, and Qatar, have implemented updates to their Data Protection Laws to enforce stricter security measures on user data. Additionally, the UAE Central Bank has recently established a Networking and Cyber Security Operations Centre to address escalating vulnerabilities and security threats. Similarly, the Saudi Central Bank has issued a comprehensive cybersecurity framework aimed at guiding risk management, protection, compliance, and other aspects for financial institutions.
Risks associated with medical devices
The emergence of smart and interconnected medical devices represents a groundbreaking transformation in healthcare, offering benefits like real-time health monitoring, personalised treatment options, and enhanced medical accessibility. However, this heightened connectivity also amplifies the risk of cyber threats, underscoring the need for robust protection measures to safeguard critical healthcare services. Moreover, it poses potential risks to patient privacy, data integrity, and patient safety.
Recognising these challenges, the US Food and Drug Administration (FDA) issued guidelines in September 2023 for the cybersecurity of medical devices, stressing the importance of implementing robust security measures from the initial design phase to deployment.
"The health sector is known to be highly targeted by malicious actors. We are witnessing a relentless series of reported incidents that have caused significant disruption,” says Miri Ofir, R&D Director at Check Point Software Technologies. “Medical vendors and manufacturers must protect their devices, ensuring the protection of patient data and safety.” She recommends advanced technology solutions that shield against diverse cyber threats, such as access control breaches and memory corruption, without compromising device performance. It continuously monitors device activities to promptly identify and mitigate threats, preserving the privacy of health information and the integrity of medical devices.
Cyberattacks on healthcare systems can directly impact patient safety, as seen in instances where hospitals were unable to deliver timely care due to compromised IT systems. Addressing these vulnerabilities is essential for protecting both digital assets and human lives.
