Imagine waiting months for life-saving surgery, only to have it suddenly canceled — and not due to a miraculous recovery, but because unidentified hackers breached your healthcare provider’s cybersecurity defenses.
This was the fate patients at several major hospitals in London woke up to on 4th June, when Synnovis, a private-public partnership which processes pathology tests for a number of British hospitals, was hacked by a group with alleged links to Russia.
Patients in the United States faced a similar situation when, in March of this year, a cyberattack paralyzed the largest US healthcare payment system, leaving healthcare providers, ranging from large hospital networks to small local clinics, on the brink of bankruptcy.
And these are by no means isolated incidents. In July 2023, the European Union Agency for Cybersecurity, reacting to the spate of cyberattacks on healthcare providers since the Covid-19 pandemic, published its first-ever report on the phenomenon. Its findings were alarming: while 10% of healthcare cyberattacks were ideologically motivated, 83% were motivated by financial gain. And a staggering 22% of attacks resulted in disruption to the delivery of healthcare services to patients.
We are now entering an age where healthcare providers have become one of the main targets for cyber attackers seeking to weaponize the vast troves of personal data these institutions now hold.
So, how have we reached a point where healthcare, arguably our most important public service, has become so vulnerable to cyberattacks? And more importantly, what can we do about it?
To understand this, we must return to the early 2010s when the big data revolution was still in its relative infancy. Back then, the majority of cyberattacks on healthcare aimed to gain access to personally identifiable information (PII) and protected health information (PHI), which cybercriminals could monetize by committing insurance fraud or similar. A good example of this type of attack was the 2014 Anthem breach, when hackers compromised 78.8 million patient records by attacking the US’ largest health insurance companies.
But in 2017, a “paradigm shift,” in the words of a WHO report, took place when the WannaCry ransomware — this time attributed to North Korea — targeted an estimated 300,000 computers globally, scoring a number of high-profile victims including the UK’s National Health Service.
Hackers had now realized that data held on at-risk computers could be encrypted, withholding access to its original owner, only to be returned upon payment of a ransom. Healthcare providers, who store large quantities of clinical data critical to their operation, are particularly vulnerable to such extortion. In 2021, for example, the FBI reported that over 148 healthcare organizations in the US had been affected by ransomware attacks.
It is clear to any observer that healthcare has benefited enormously from the digital revolution. Digital technology can allow healthcare practitioners to communicate more efficiently with one another or improve documentation across complex healthcare systems. “Smart” medical devices, such as pacemakers or insulin pumps, are now increasingly connected to the internet, providing a higher quality of treatment.
Some of the most exciting developments come from artificial intelligence (AI), which promises to revolutionize healthcare alongside several other industries. AI can transcribe doctor-patient consultations, saving doctors valuable time or helping patients find available physicians with greater efficiency. It can be used in diagnosis, with studies showing that AI can identify breast cancer or blood disease faster than human experts. And AI can even be used in drug discovery, bridging the often prohibitively high research costs the biotech industry often faces.
Yet the increased reliance on digital solutions in healthcare has left us vulnerable to harmful actors, who are now able to target both patient data and medical devices that rely on the internet for operation. While AI, the technology that promises a revolution in healthcare, can turbocharge distributed denial-of-service attacks (DDoS), overwhelming an organization’s defenses to disable digital services.
Technology, it would seem, is a double-edged sword.
But there are certainly measures we can take to blunt one of those edges. And as we have seen countless times over the course of human history, where technology creates a problem, it also provides a solution.
Blockchain, for example, promises a highly secure solution to the problem of patient data breaches. Blockchain functions by distributing data across a large network of participants, or “nodes,” reducing the risk of hacking to nearly zero. Blockchain is most famously employed by cryptocurrencies, securely storing transaction data for users around the world, and has been mooted by some of the world’s largest banks as a fast and secure solution for financial settlements.
AI, meanwhile, is equally a weapon in the hands of a defender as it is for an attacker. AI is already being used to analyze normal activity and identify malicious attackers, proactively detecting threats and issuing immediate responses. Even more impressively, AI can be employed in predictive analysis, forecasting an organization’s cyber vulnerabilities and recommending actions to address them.
Technology has drastically improved outcomes in healthcare, and as we stand at the beginning of the AI revolution, it is exciting to imagine the life-saving breakthroughs AI and other technologies may enable us to find. But the use of sophisticated technologies in healthcare requires an equally responsible attitude to their defense – it’s time we placed cybersecurity at the center of our public health debate.