Skip to content

ECSO Topic of the Month: Privacy and Data Security

Privacy and Data Security in Healthcare System

Healthcare is undeniably one of the industries that contribute to the economy of a country. According to Infoguard Cyber Security, healthcare is one of the most common sectors targeted by cyber-criminals. In fact, more than 1 in 3 health care organizations globally reported being hit by ransomware in 2020, according to a survey of IT professionals.

More than four-fifths (81%) of UK healthcare organizations suffered a ransomware attack in 2021, according to a new study by Obrela Security Industries. The survey of 100 cybersecurity managers in the health sector found that 38% of UK healthcare organizations have elected to pay a ransom demand to get their files back. However, 44% revealed they had refused to pay a demand but lost their healthcare data as a result.

The use of new digital technologies in healthcare has increased dramatically over the past decade to help deliver and access care. Meanwhile, cyber-attacks targeting healthcare have significantly increased. There is, however, a great deal of difficulty to strike a perfect balance between rapid technological developments and the risks they pose to users.

Traditional cybersecurity incident handling strategies differ from agile ones. In the traditional method, a framework was designed without taking into account an array of new technologies such as Internet of Things, fog and cloud computing.

 According to HIPAA Journal (2020), the most common causes of PHI[1]breaches are hacking, IT incidents, and unauthorized disclosures. As technologies advanced, the number of PHI breaches grew dramatically.

Researchers concluded that PHI is the most challenging asset to protect against cyberattacks due to the involvement of multiple parties in the use of these data, including medical practitioners and registrars, etc.

For hackers, PHI is valuable as they can sell it on the dark web, disclose it to the public, or simply make it inaccessible. Additionally, they may alter the data illegally. By 2025, breaches of PHI, hacking/IT incidents and unauthorized disclosure, were predicted to increase by 138.69% and 65.03%, respectively.

In the health sector, cyber security incidents can cause devastating effects on organizations and individuals, including threats to life. for example, patient death in Germany linked to ransomware. In September 2020, cybercriminals deployed ransomware against a German university affiliated with a hospital, disrupting its computer systems. An individual being transported to the hospital by ambulance was re-routed to another hospital 30 kilometers away and passed away in route. The actors reportedly ‘stopped’ the ransomware attack after learning they had disrupted the hospital and possibly caused a patient death.

As another example, In September 2020, Universal Health Services (UHS) reportedly suffered a ransomware attack. UHS is one of the largest US health care networks. The attack resulted in over 400 healthcare providers being unable to access their electronic healthcare records for a period of three weeks. Back-up processes were implemented during recovery efforts, including the use of paper-based documentation, and some non-critical appointments were delayed. In October 2020, the US Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) released a public alert to provide warning to healthcare providers against an increased and imminent cybercrime threat to US hospitals and healthcare providers. The attack and subsequent alert highlights the significant impact ransomware can have on organizations and customers.

An even more severe impact on patients was observed when the global WannaCry attack hit the English National Health System (NHS) in May, 2017. Infected hospitals reported being locked out of their digital systems and medical devices such as magnetic resonance imaging (MRI) scanners, leading to substantially limited patient care. Shutdowns of hospital intranets and electronic patient records systems forced staff to revert to manual processes, cancel numerous outpatient appointments and to divert emergency ambulances. In May 2021, the Irish health system experienced its most widespread ransomware attack to date, where access to electronic systems and data was blocked, severely impacting critical services such as gynecology and maternity clinics as well as cancer and children’s care. A few days later, sensitive medical data of the insurance group AXA was stolen, mainly affecting operations in Asia.

In May 2021, a ransomware attack against the Irish Health Service Executive (HSE) disrupted Irish healthcare IT networks and hospitals for over 10 days, causing real-world consequences to patients and their families. Some stolen patient data was also published online. The HSE, which provides health and social care services in Ireland, shut down national and regional networks the same day to contain the incident. Malicious cyber activity was also detected on the Irish Department of Health (DoH) network however due to the deployment of tools during the investigation process an attempt to execute ransomware was detected and stopped. The attack also had an impact on Northern Ireland, affecting the ability to access data held by HSE for some cross-border patient services. Over the last decade, there has been significant growth in the literature on improving cybersecurity through the selection of appropriate countermeasures, but it has not addressed healthcare’s unique features and challenges. Unlike the vast majority of existing cybersecurity optimization models, need a model do not focus on minimizing financial losses or costs. As part of a publicly funded, centralized system like the NHS, hospital administrators place a high priority on patient safety rather than costs. It should pay particular attention to ensuring that the operation of a hospital remains functional and medical treatments continue uninterrupted.

[1] Protected Health Information