The healthcare industry is no stranger to cybersecurity risk concerns. In the last few years, the world has witnessed several instances of cybersecurity threats and interferences, from cyberattacks on customer accounts containing prescription information, to ransomware attacks on patient records systems and health payment processing companies, and exploitation of vulnerabilities in DNA sequencing instruments. Since 2010, cyberattacks in healthcare have exposed 385 million patient records and cost an average of almost $11 million per event.
The most common types of cybersecurity threats include:
- Ransomware and malware attacks, which potentially disable hospitals’ medical devices and critical infrastructure (including interrupting or halting procedures at threat to people’s lives and well-being), upend payment processing systems, and/or leak patients’ personal data;
- Cybersecurity breaches of hospital networks, core systems, and remote operation of devices (including telehealth), which also present potential physical threats (including loss of power); and
- Unpatched and out-of-date software in medical devices. Many medical devices require updates to embedded software in a timely manner. Patches and updates can be delayed or missed for a variety of reasons, and unpatched vulnerabilities can open a door for threat actors to gain unauthorized access to the device and the network it is connected to in order to steal patient data.
RECENT HEALTHCARE CYBERATTACKS
Three recent cyberattacks within the healthcare industry have resulted in massive fallout for doctors and patients, serving as a reminder that the healthcare industry is a prime target for cybercriminals. In February 2024, Change Healthcare, a subsidiary of UnitedHealth and the US’s largest processor of medical claims, suffered a ransomware attack that took its systems offline. Widely regarded as the most significant cybersecurity attack in the history of the American healthcare industry, the exposure purportedly leaked the personal data of up to a third of Americans and disrupted billions of dollars in patient payments. The attack also froze Change Healthcare’s pharmacy systems across the US, leading to delayed deliveries of prescription drugs nationwide. While testifying before Congress in early May 2024 about the data breach, UnitedHealth CEO Andrew Witty admitted to paying $22 million in ransom to the hackers. The Office of Civil Rights has launched an investigation into whether Change Healthcare and UnitedHealth violated HIPAA regulations.
In April 2024, Kaiser Permanente disclosed a data breach impacting approximately 13.4 million individuals. The breach reportedly resulted from the improper implementation of tracking codes on the company’s digital platforms, which inadvertently shared patient data with third-party advertisers. The compromised information included sensitive details such as patients’ names, IP addresses, and specific interactions with Kaiser’s online services. Subsequently, a class-action lawsuit was filed against Kaiser Permanente, alleging that the organization disclosed patients’ personal information to third parties without consent, violating state wiretapping and consumer-protection laws. As of now, no government investigation has been announced regarding this breach.
On May 9, 2024, Ascension, one of the largest healthcare systems in the US, revealed that a cyberattack had forced patient record systems to go offline. The attack disabled a variety of other electronic services as well, resulting in hospitals reverting to charting patient care on paper. On June 14, 2024, Ascension reported that it restored its electronic health records across the system. Multiple class-action lawsuits have been filed, alleging that Ascension’s negligence led to the compromise of personal identifying information and protected health information.
The Change Healthcare, Kaiser Permanente, and Ascension incidents highlight the importance of improving the healthcare industry’s defense posture in order to protect sensitive patient health information and prevent the disruption of hospital operations. As cybercriminals across the globe continue to target healthcare organizations, the healthcare industry should prioritize the development and implementation of tactical strategies to prepare for and mitigate damages arising from such attacks. Such strategies should include adherence to the latest government-enforced cybersecurity standards and increased collaboration with other entities operating in the space to address shared vulnerabilities.
U.S. GUIDANCE FOR CYBERSECURITY RISK MINIMIZATION
Healthcare providers and device manufacturers can take a variety of steps to better manage the cybersecurity risks present in the healthcare industry. The Department of Health and Human Services (HHS) has published voluntary healthcare-specific Cybersecurity Performance Goals (CPGs) to bolster critical healthcare infrastructure and protect against cyber threats. Moreover, in 2022, FDA published Draft Cybersecurity Guidance for Medical Devices, proposing guidelines for manufacturers to minimize cybersecurity risks. The intent of the FDA guidance is to encourage stakeholders to emphasize transparency and security throughout the development of devices. The FBI has also published recommendations targeted at unpatched and outdated medical devices that complement those set out by FDA. These materials set market standards for basic measures that can be taken to protect against cyber threats. The companies to which they apply would do well to review and consider the feasibility of these recommendations within their own environments. Some states like California and Oregon have passed laws establishing a baseline cybersecurity requirement for healthcare providers. As technology progresses, we expect cybersecurity laws, rules, regulations, and guidance to continue to evolve.
RISK MANAGEMENT
Companies are exploring novel solutions to mitigate risk , including by using innovative technology, such as blockchain and digital twins. Blockchain creates a secure and permanent transaction trail, so any time data is accessed or moved, that action can be traced. Blockchain also decentralizes the storage of data, reducing the cybersecurity risks associated with the management of a central system. Digital twins are virtual copies of medical devices, patients, or environments that can help predict reactions, developments, and other unknown factors in healthcare by mimicking both physical properties and operational algorithms. Digital twins help with efficient lifecycle management of medical devices and increase transparency during the development of cybersecurity programs.
Nonetheless, it is important to note that these novel solutions come with their own set of cybersecurity concerns. For example, digital twins require layering technology to obtain data and could increase entry points for cybersecurity breaches through the use of Internet of Things (IoT) sensors, which monitor factors such as bed availability, machine performance, and the temperature of volatile resources; edge computing, which decentralizes the data processing centers; and AI.
Conclusion
The recent cyberattacks in the healthcare sector underscore the need for the industry to adopt proactive cybersecurity measures and implement robust safeguards. In addition to close adherence to government-enforced cybersecurity standards, continued coordination among industry stakeholders is likely needed to identify and address cybersecurity challenges and ensure that cybercriminals cannot continue to take advantage of vulnerabilities in this space. Navigating cybersecurity risks in these ways will foster greater transparency among all stakeholders involved and ultimately, increase patients’ trust and confidence in the healthcare sector.
Image: ID 108494042 © Siriporn Kaenseeya | Dreamstime.com
Brock Dahl
Brock Dahl is a partner at Freshfields.
Vinita Kailasanath
Vinita Kailasanath is a partner with Freshfields.
