Southern Ohio Medical Center, a not-for-profit hospital in Portsmouth, Ohio, canceled appointments for today and is diverting ambulances after it was hit by a cyberattack on Thursday. It’s part of a series of escalating attacks on healthcare organizations in the past two years — a trend that could have serious consequences for patient care.
But while information technology experts are well aware that the risk of cyberattacks that compromise patient data and shut down computer systems is on the rise, patients don’t seem to be, according to a new report by cybersecurity company Armis. In fact, over 60 percent of people in the general public surveyed in the new report said they hadn’t heard of any cyberattacks in healthcare in the past two years.
That’s despite a doubling of cyberattacks on healthcare institutions in 2020, high-profile incidents like the attack on hospital chain Universal Health Services, and a major threat from groups using the ransomware Ryuk. The magnitude of attacks during the COVID-19 pandemic shocked experts, who said that ransomware gangs were targeting hospitals more aggressively than they had before. Unlike attacks on banks or schools, which are also common, these attacks have the potential to directly injure people.
“It crosses a line that I think the entire cybersecurity community just didn’t think was going to get crossed anytime soon,” Caleb Barlow, CEO of cybersecurity consulting firm CynergisTek, told The Verge last year.
The Armis report surveyed 400 IT professionals in healthcare and over 2,000 people in the general public who could potentially be patients at healthcare institutions around the United States. Though the number of people surveyed is small, the findings indicate that members of the public generally aren’t aware of cyberattacks in the healthcare industry unless they have been impacted directly by one.
While 61 percent of potential patients surveyed hadn’t heard of cyberattacks in healthcare in recent years, around a third of respondents said that they’d been the victim of a cyberattack in the health system. Assuming most people in the group that had been victims of a cyberattack had heard of one, only a small percentage of survey respondents had heard of attacks in healthcare without being the victim of one.
“Attacks on hospital systems really aren’t top of mind until they impact you directly,” says Oscar Miranda, chief technology officer for healthcare at Armis.
The report also zeroed in on a gap between people’s awareness of healthcare cyberattacks and their level of concern about the problem. Around half of people surveyed said that they would switch hospitals if there was a cyberattack, and over 70 percent said they thought attacks could have consequences for their care.
Those concerns are warranted: healthcare organizations say that ransomware delays procedures for patients and can lead to longer hospital stays. An analysis from the United States’ Cybersecurity and Infrastructure Security Agency also showed that hospitals battling ransomware attacks during the COVID-19 pandemic reached a tipping point associated with excess deaths more quickly than hospitals not dealing with one.
Cybersecurity has historically not been a priority for healthcare organizations, many of which don’t have the resources to invest in that area. But the spikes in ransomware attacks on hospitals in the past two years, coupled with the new research showing links between cyberattacks and health outcomes, are pushing groups to make changes. In the Armis survey, three-quarters of IT experts said the steady pulse of news about ransomware attacks has led to a push for more investment in cybersecurity.
“I do believe we’re making strides in finally actually addressing ransomware,” Miranda says.