Healthcare Orgs Warned of Extended Post-Breach Downtime

It’s now common knowledge that successful cyberattacks result in severe consequences for organizations – financial loss, disruptive system downtime, and hefty reputational damage. However, in some industries, these consequences can be even more dire. For example, The Joint Commission, a leading authority in healthcare accreditation, recently advised hospitals to plan for at least a month of post-breach downtime following a cyberattack as part of its new cybersecurity management guidelines.

An Escalating Threat Landscape

In healthcare, a successful cyberattack can compromise patient data, interrupt critical care, and even jeopardize lives. The reliance on the Internet of Medical Things (IoMT) devices and electronic health records makes healthcare systems particularly vulnerable. At the same time, patient data, which is inherently sensitive, is considered incredibly lucrative. Lastly, the healthcare industry is the most likely to pay up during a ransomware attack. This combination of factors makes healthcare organizations high-stakes targets for malicious actors.

As a result, hospital breaches have surged in recent years. For example, August 2023 saw an incredibly destructive ransomware attack on a 16-hospital system based in California. The onslaught caused ambulances to be diverted, outpatient services to close, and emergency departments to shutter. And the bigger picture is even more alarming – US healthcare organizations suffered an average of 1,410 weekly cyberattacks per organization in 2022, up 86% compared with 2021.

Post-Breach Downtime

Three to Four Weeks to Restore Critical Systems

Getting critical systems back online isn’t a quick fix; it’s often a lengthy process. The national adviser for cybersecurity and risk at the American Hospital Association estimates that restoring essential systems can take three to four weeks. And for noncritical systems? Expect an even longer recovery period.

The stakes are high; even a few staff members falling for a phishing scam can set off a chain of events with severe, far-reaching consequences.

In this context, a month-long downtime isn’t just an inconvenience. It’s a critical period where patient care may suffer, and lives could be at risk.

Why So Long?

Three to four weeks of system downtime is incredibly disruptive, especially in an industry with such high stakes. So why does it take so long to restore essential systems?

• Complexity and Interconnectedness: Hospitals operate on intricate, interdependent networks that are challenging to untangle or repair. One compromised system can affect several others, making restoration a coordinated and complicated endeavor.
• Forensic Analysis and Software Patching: Identifying the scope of the breach and fixing security vulnerabilities is a meticulous process. It involves not just a deep dive into what happened but also patching software flaws, which can be especially time-consuming if specialized or custom software is involved.
• Hardware and Data Integrity: Cyberattacks can corrupt both hardware and data. Replacing or repairing hardware and verifying data integrity are labor-intensive and time-consuming tasks, often requiring specialized expertise.
• Compliance and Legal Obligations: Restoring systems isn’t just a technical challenge; it’s a legal one. Hospitals must adhere to strict regulatory guidelines when handling breaches, including patient notifications and coordination with authorities, which divert resources and add time to the recovery process.
• Patient Safety Concerns: The foremost priority is ensuring the restored systems are functional and safe for patient care. Rigorous testing is required before these systems can be put back into operation, adding an additional layer of time and caution to the process.

How Healthcare Organizations Fall Victim to Cyberattacks

Phishing

Phishing is a significant weak point. In these attacks, cybercriminals send seemingly legitimate emails that may mimic the appearance of trustworthy sources like medical suppliers, governmental health agencies, or internal departments. These emails often contain malicious links or attachments. Once an employee clicks on these, they may inadvertently provide access to sensitive data such as patient records or login credentials.

Because healthcare workers are often under time pressure and may lack comprehensive cybersecurity training, they are more susceptible to falling for phishing scams. This makes it easier for attackers to penetrate otherwise secure networks.

Internet of Medical Things (IoMT)

IoMT devices like patient monitoring systems, MRI machines, and wearable fitness trackers expand the attack surface for cybercriminals.

Many IoMT devices lack robust built-in security measures, making them easy targets. Additionally, these devices are often overlooked during security audits and may not be included in regular network monitoring. As a result, attackers can exploit vulnerabilities in these medical devices to gain unauthorized access to healthcare systems, potentially manipulating device functionality and compromising patient safety. According to Cynerio’s State of Healthcare IoT Device Security 2022 report, 53% of connected devices are at risk of a cyber-attack.

Ransomware Attacks

Ransomware attacks have seen a sharp rise in frequency and sophistication across all sectors, but they are particularly crippling for healthcare organizations. In these attacks, malicious software encrypts essential files and systems, rendering them inaccessible. Data recovery becomes an arduous task, often requiring specialized expertise and tools.

Cybercriminals often favor ransomware attacks over other types of cyberattacks when targeting healthcare institutions for several reasons. First, healthcare organizations manage sensitive and critical data essential for patient care, making them more likely to pay the ransom quickly. Second, the healthcare sector is generally focused on patient care rather than cybersecurity, creating potential vulnerabilities that make ransomware attacks easier to execute. When weighed against the cost and complexity of data recovery, especially during a time-sensitive medical emergency, paying the ransom often seems to be the lesser of two evils, perpetuating the cycle of attacks.

Final Thoughts

Healthcare organizations can’t afford to skimp on cybersecurity. The stakes are incredibly high, ranging from financial loss to endangering lives. Investing in robust cybersecurity measures is crucial to mitigate the risk of attacks and prevent the devastating, time-consuming aftermath of system downtime.