Opinion | How Ransomware Puts Your Hospital at Risk
In March, several cybercrime groups rushed to reassure people that they wouldn’t target hospitals and
In March, several cybercrime groups rushed to reassure people that they wouldn’t target hospitals and other health care facilities during the Covid-19 pandemic. The operators of several prominent strains of ransomware all announced they would not target hospitals, and some of them even promised to decrypt the data of health care organizations for free if one was accidentally infected by their malware. But any cybersecurity strategy that relies on the moral compunctions of criminals is doomed to fail, particularly when it comes to protecting the notoriously vulnerable computer systems of hospitals.
So it’s no surprise that Universal Health Services was hit by ransomware late last month, affecting many of its more than 400 health care facilities across the United States and Britain. Or that clinical trials for a Covid-19 vaccine have been held up by a similar ransomware attack disclosed in early October. Or that loose-knit coalitions of volunteers all over the world are working around the clock to try to protect the computer systems of hospitals that are already straining under the demands of providing patient care during a global pandemic.
In the midst of the Covid-19 pandemic, the potential consequences of these cyberattacks are terrifying. Hospitals that have lost access to their databases or had their networks infected by ransomware may not be able to admit patients in need of care or may take longer to provide those patients with the treatment they need, if they switch to relying on paper records. Clinical trials for potentially life-saving pharmaceuticals could be delayed by weeks or months, depending on how long it takes to restore the affected data and systems. Cybersecurity has never been more vitally important for hospitals than it is right now.
Even before the pandemic, hospitals were an increasingly popular target for ransomware and other types of cyberattacks, because they need to be able to operate constantly, providing patient care 24 hours a day. Any interruption to their networks must be resolved as quickly as possible, making them ideal targets for ransomware, in which attackers promise to restore their systems immediately in exchange for cryptocurrency payments.
Cyberattacks can even prove fatal: Last month, a woman in Germany in a life-threatening condition died when a Düsseldorf hospital was unable to admit her because it was experiencing a ransomware attack and instead had to send her to a hospital 20 miles away. It was the first death that has been directly tied to a cyberattack and the timing was a reminder of how health care networks are especially vulnerable at a moment when many health centers are already struggling to keep up with the demands on their personnel and resources.
Unfortunately, cybersecurity has never been a strong point for the health care sector. Hospital networks are notoriously insecure due to a combination of inadequate resources, a lack of clear and effective cybersecurity guidelines and the large number of people and systems involved in operating a hospital, all of whom need some degree of access to its network. Additionally, hospitals rely on specialized medical equipment, such as ventilators and M.R.I. machines. That means that every time there’s a security patch or update for software that is running on a hospital’s computers, the hospital first needs to make sure that update won’t interfere with its ability to connect to those other, older machines, before installing it.
Updating specialized medical equipment to be compatible with more secure software is often a slow or prohibitively expensive undertaking, especially if it requires purchasing new machines. But recent attacks show that the consequences of relying on old software can be even more devastating financially: When Britain’s National Health Service was hit by the WannaCry ransomware in 2017, the malware took advantage of a vulnerability the out-of-date operating system that many N.H.S. computers were still running. The N.H.S. estimated that WannaCry cost them 92 million British pounds, or about $118 million, in direct I.T. costs and lost output.
Every hospital and clinic should be re-evaluating their computer networks right now and ramping up the protections they have in place to prevent their services from being interrupted by malware or their sensitive patient data from being stolen. This will be a significant challenge at a moment when many hospitals are struggling financially because so few people are opting to have elective medical procedures.
But cybersecurity shortcomings in the health care sector need to be addressed now, more than ever, when medical care is increasingly being offered via remote, online formats and many hospital intensive care units are already at capacity, with little ability to send patients to other facilities in the event that their networks are shut down. Lawmakers, too, should be thinking about how to support the health care sector in these endeavors by providing funds to public hospitals for this purpose and developing clear security standards and requirements, so that hospitals have strong incentives to make much-needed improvements and are able to do so.
This will be a vital component of learning from this pandemic about all the ways we must do a better job of supporting our hospitals and health care workers in the future: making sure not just that they have the necessary equipment and facilities and human capital, but also that they have secure computer systems they can rely on in moments of crisis.
The Times is committed to publishing a diversity of letters to the editor. We’d like to hear what you think about this or any of our articles. Here are some tips. And here’s our email: [email protected].
Follow The New York Times Opinion section on Facebook, Twitter (@NYTopinion) and Instagram.