Why Hospitals Are Being Increasingly Targeted by Cyberattacks

Acacia Hernandez | August 15, 2023 7:43 pm

Hacking is a growing concern for hospitals and health institutions.

Cyberattacks on hospitals and health systems more than doubled from 2016 to 2021, a ccording to a JAMA report.

Thanks to our sponsors:

View all sponsors

More recently, 2,000 Lurie Children’s Surgical Foundation patients saw their social security numbers leaked to a still-unknown party, along with their names, dates of birth and addresses.

“People at least presume that there’s a lot of money in hospitals. … It’s an easy target,” said Robert Wagner, chief information security officer with ISSA’s Chicago chapter and co-founder of Hak4Kidz. “Right now, hospitals have been focused mostly on patient safety, not cyber security, so when it comes to systems like these, they haven’t even really thought of themselves as being a target for attacks.”

But realistically from a criminal’s point of view, he said, hospitals are the most likely to pay — and they’ll pay fast.

“They’ve got lives on the line,” Wagner said. “No hospital wants to put their patients’ safety at risk so they’re going to be more likely to pay it than a financial institution.”

In a 2022 report, the FBI called health care the No. 1 critical infrastructure attack target in the country.

“What they’re looking for is patient data, and that can be social security numbers, financial information, patient health records as well,” said Patrick Dolan, security software specialist at LRS IT Solutions. “Really anything that can be used for either setting up some sort of hack and hopefully having a hospital pay a ransom of whatever amount it may be, or using that information and selling it on the dark web.”

There have been some scenarios when an attack shut down hospital systems. A baby in 2019 died because staff wasn’t able to monitor the health vitals of that baby during birth.

To prevent these attacks, Dolan said it’s important to have the basics of cybersecurity down.

“That can include things like having an up-to-date incident response plan, understanding within the organization who has access to your data and what they’re using it for, understanding where that sensitive data is, and doing things around protecting endpoints as well,” Dolan said.