The health care industry, and hospitals in particular, are the number one target of ransomware attacks. By 2020, these attacks are expected to quadruple, according to CSO Online. In France alone, 478 cybersecurity incidents have been reported to the Agency for Shared Medical Information Systems (ASIP) since October 2017. We review the five most noteworthy examples of cyberattacks against the health care industry.
WannaCry: the ransomware that shook the NHS
In May 2017, the WannaCry cyberattack targeted the UK’s National Health Service (NHS). By exploiting a Windows vulnerability, the hackers managed to infect at least 16 health centres and 200,000 computers, which led to the cancellation of nearly 20,000 appointments and paralysed more than 1,200 pieces of diagnostic equipment.
Boston Children’s Hospital targeted by a DDoS attack
Three years earlier, a hacker launched a DDoS (Distributed Denial of Service) attack against Boston Children’s Hospital. The hospital, whose donations page was shut down by the attack, is estimated to have lost 300,000 dollars on repairs to its computer system.
Respirators and anaesthesia machines at risk of “medjacking”
Technology is increasingly common in health care institutions. This growing prevalence increases the risk of “medjacking”, or medical device hijacking, as demonstrated by the security flaw that researchers discovered in General Electric respirators and anaesthesia machines. This vulnerability, which the US Department of Homeland Security says is easily exploitable, has yet to be corrected by GE.
A phishing attack against a Montpellier medical centre
Phishing is the most widespread cyberthreat, according to the Corporate Cybersecurity Barometer published by the CESIN. An employee of the Montpellier university medical centre found this out the hard way in March 2019, when he opened an email containing a virus that went on to infect more than 600 computers. Fortunately, the hospital was using independent internal networks, which prevented the virus from spreading to all of its 6,000 machines.
Blue Cross pays the price for human error
While these malicious attacks are impressive, incidents can sometimes be the result of negligence or a lack of information. Such was the case in April 2018, when an employee of Independence Blue Cross, an American health insurer, accidentally posted a file containing the personal and medical info of nearly 17,000 patients online. It took two months for the company to detect this human error.
These incidents are a reminder of the importance of educating employees—including health care professionals—on good cybersecurity practices.