Cyberattacks on Healthcare

The advent and development of information and communication technology (ICT) and the internet of things (IoT) have remarkably impacted society in various areas, including healthcare. In healthcare, information communication technologies have had the potential to increase access to services, improve the organization of patient information as well as save, enhance, and extend lives (Coventry and Branley 48). Over the past decade, patients have increasingly used their smartphone applications for care coordination and collaborative disease management as such devices can be integrated into telehealth through medical IoT. As healthcare technologies continue evolving, so does their interconnectivity. While healthcare devices have been traditionally standalone, the majority of them are now largely integrated into the healthcare provider network. In the United States, the number of interconnected devices in each hospital bed ranges from 10 to 15 (Coventry and Branley 48). Interconnection has various benefits, such as efficiency, remote monitoring, automation, and error reduction. Such benefits have transformed the treatment of all levels of health patient conditions, including chronic and acute conditions.

Unfortunately, interconnectivity has made healthcare systems more vulnerable to cyberattacks. Cybersecurity focuses on safeguarding computer networks, as well as the hosted data from access and distortion, either accidentally or maliciously. There are concerns that cybersecurity in healthcare is insufficient, leading to a lack of both data integrity and confidentiality of medical information (Coventry and Branley 48). Although privacy issues were a concern in paper-based records, the interconnection of today's health information provides various gateways to access valuable health records remotely and even go unnoticed. The aim of this research paper is to investigate the points of largest vulnerability within healthcare systems and suggest recommendations to address the problem.

Description of the Problem

Cybersecurity attacks against hospitals and other healthcare facilities have always been common as malicious individuals can penetrate health information systems (HIS), medical devices, and equipment to access sensitive data such as patients’ personal information due to various motives. For example, cybercriminals can block access to data in a HIS or threaten to publish it unless a ransom is paid, preventing the organization from resuming normal activity as well as compromising patients’ personal information. Other individuals could target healthcare with cyberattacks for political reasons. Healthcare systems have always had a clear vulnerability due to political and financial incentives. The incentives have risen as due to the COVID-19 pandemic. Specifically, any healthcare system contains valuable or sensitive data and has the responsibility of operating as usual even in the event of a cyberattack, making it an easy target of ransomware attacks (Bevers para.3). Also, the healthcare system is particularly vulnerable to hackers because of the critical services it delivers to the public. Yet, the primary motive driving cybercriminals to attack digital systems in the healthcare sector is weak cybersecurity.

Since the start of the Covid-19 pandemic, malicious actors have taken advantage of the crippling and overwhelmed healthcare systems as the number of cyberattacks has significantly increased worldwide during this time. These attacks are not only harmful to healthcare operations but also financially. Recent data on healthcare cybersecurity in the United States shows that the vulnerability of healthcare systems is an issue of concern. According to the United States Department of Health and Human Services (HHS) (4), the US healthcare system experienced 239.4 million cyberattack attempts in 2020, representing an average of 816 attempts for each healthcare endpoint. Besides, in 2020, the number of attempted cybersecurity attacks increased by 9851% from 2019 (HHS 4). Also, approximately one million health records were breached every month in 2020 (HHS 4). The trend can be attributed to the weakening of US healthcare by the COVID-19 pandemic.

The issue of cybersecurity in US healthcare systems has not been new even before the pandemic. In 2018, notable cases of data breaches included the attack on Unity Health Point, Life Bridge Health, and Accudoc Solutions, which exposed data for 1.4 million, 500000, and 2.64 million patients, respectively (Davis para.8). During the same year, in August, Augusta University Health notified stakeholders of cyberattacks that breached its systems in 2016 and 2017 (Davis para.10). Although IT officials disabled the infected accounts, the phishing attack successfully obtained data of 417 000 patients (Davis para.10 Such data show the need to address the cybersecurity problem for healthcare system stakeholders.

Project Narrative

The purpose of this research paper is to identify the points of the largest vulnerability within healthcare systems. Following the identification, it is expected that awareness of these points by relevant stakeholders would improve the implementation of cybersecurity measures, consequently reducing the number of cyberattacks in US hospitals and lessening their impact. Due to limited resources, organizations cannot implement all available measures to protect their systems from malicious individuals. Therefore, identifying areas of largest vulnerability in HIS can be crucial in informing the leadership of healthcare organizations, billing claims vendors, payors, among other stakeholders, on which areas to focus on in their cybersecurity efforts.

Problem identification is a critical step in addressing an issue or performance in the healthcare sector. Deloitte (6) provides that the second step in cybersecurity improvement involves proactively assessing the cyber risk. The success of the project “depends on an organization’s ability to synthesize external and internal intelligence in a timely manner to develop a constant situational awareness that will become part of the organization’s overall security posture” (Deloitte 6). An organization can assess its cybersecurity problem by internally investigating its digital and ICT systems to establish its vulnerabilities to a cyberattack, such as by keeping activity logs. However, it is recommended that a company conducts external intelligence to know the common vulnerabilities. Such intelligence can be gathered from primary or secondary research can inform what measures an organization can implement to protect its systems from cybersecurity issues.

If the trends resulting from the COVID-19 are to continue, cyberattacks will present one of the major threats facing healthcare delivery in the US. Cyberattacks have negative implications for both healthcare organizations and patients. Firstly, cyberattacks disrupt or delay sensitive hospital operations, placing patients at risk of worsened clinical outcomes. For example, when the WannaCry ransomware attacked the Hollywood Presbyterian Medical Center in February 2016, the facility's management had to delay surgeries, and patients were diverted to other facilities (Argaw et al. 2). Furthermore, when malicious individuals compromise EHRs, providers lose access to vital information such as patient comorbidities, current medications, and patient allergies. Healthcare professionals require unlimited access to desired information, failure to which diagnosis, treatment, or medication could be negatively impacted.

Besides, cyberattacks affect revenue generation and lead to further financial loss in ransom payments. In the Presbyterian Hospital case, cyberattacks held critical information for ten days. The management ultimately paid 17000 dollars in bitcoins to regain access to lost information. Tully et al. (229) note that the financial impact of a cyberattack on a hospital could reach $7 million in litigation and fines. Notably, breaching data from healthcare provider systems violates patients' confidential information, affecting the public's trust in the affected organization. Identifying the common points of cyber vulnerability could help in reducing the rate of attacks on US hospitals. In the long term, this research project has the potential to reduce the number of cyberattacks in the US healthcare sector. In the final section, the paper provides appropriate recommendations tied to research findings. The recommendations could lessen the impact that cyberattacks have on organizations and patients.

Research Method

Information sources included Google Scholar, ACM Digital Library, American Journal of Nursing, Cumulative Index of Nursing and Allied Health Literature (CINAHL), and PubMed. Keywords used in the article search included “cybersecurity,” “healthcare system,” “healthcare sector,” "common vulnerabilities," "vulnerabilities,” “hospitals,” and “trends in cyber-attacks.” There were challenges in developing a common search string. Thus, keywords were combined in a relevant way during the systematic search.

For inclusion, articles had to report the points or areas with the largest vulnerability to cyber-attacks in the healthcare sector’s digital systems. Besides, articles that reported trends in cybersecurity attacks were included for analysis. Articles were excluded if they reported perceptions or were duplicates. Furthermore, the article search was limited to the English language. The period of publishing was restricted to two years. Article search yielded 23 articles. After screening for duplicates, 17 articles remained. 11 were considered irrelevant after reviewing their titles and abstracts. Three articles that met all the inclusion criteria were analyzed to inform the research problem.

Secondary research was selected as the research method for this project. Mellissa Johnston (620) provides that "secondary data analysis is the analysis of data that was collected by someone else for another primary purpose.” In a world where researchers have been able to archive remarkably vast volumes of data, the practicability of using existing information in research has become relatively prevalent compared to the decades before the emergence or in the early stages of the development of digital technologies. In undertaking this project, time and resources were significant limitations. Johnston (620) further states that “existing data provides a viable option for researchers who may have limited time and resources.” Therefore, desk research was an appropriate method for this research project as it offers access to reliable information and with less effort.

Findings and Recommendations

Findings

Firstly, database vulnerabilities represent one threat that leads to cyberattacks in hospitals and other healthcare facilities. In the healthcare sector, databases are vital in storing electronic medical records. Primary vulnerabilities of databases include privilege elevation, backup theft, SQL injection, and vulnerability of passwords (Razaque et al. 7). Most often, the passwords used by users are easily guessed by cybercriminals (Razaque et al. 7). Another large point of vulnerability within healthcare systems is eHealth cloud storage. Although patient information stored in the cloud is encrypted to protect it from malicious individuals, this data storage type is vulnerable to malicious data modifications and alterations and spoofing identity (Al-Issa, Ottom, and Tamrawi 5). Seh et al. investigated the common data breaches that affect the US healthcare system intending to enhance patient confidentiality. Results showed that software vulnerabilities, human error, security failures, and access to patient information were the primary cause of hacking attacks and unauthorized internal disclosures of patient data (Seh et al. 6).

Recommendations

To address the vulnerability of databases, leaders of organizations in the healthcare sector can use the API sequence of ransomware. Also, a cryptographic key is suggested to reduce the success rate of cyberattacks on databases (Razaque et al. 15). Furthermore, healthcare organizations should strengthen the resilience of their cybersecurity infrastructure and employ the best cybersecurity practices to prevent attacks (Martin et al. 4). Such practices can be critical in protecting patient information. Furthermore, healthcare organizations should educate healthcare staff on safely handling patient data procedures. Emphasis should be placed on regulations governing collecting, storing, and sharing medical information with other parties apart from the patient.

Conclusion

The research paper aimed to investigate the points of largest vulnerability within the US healthcare systems and suggest recommendations to address the problem. Due to the interconnectivity of medical devices with HIS, cybersecurity attacks against hospitals and other healthcare facilities have always been common as malicious individuals can penetrate health information systems (HIS). Cyberattacks are prevalent in the healthcare sector because the sector is responsible for offering services despite cybersecurity incidents. Also, health information systems contain valuable patient data. Since the start of the Covid-19 pandemic, cybercriminals have taken advantage of the fact that COVID-19 has weakened the US healthcare systems. The number of cyberattacks has significantly increased worldwide during this time.

Systematic article search was conducted in various databases to obtain articles that explore the largest points of vulnerability within the US healthcare systems. Three articles met the inclusion criteria and were included for analysis. After data analysis, it was established that US healthcare systems are vulnerable due to cloud storage and have database vulnerabilities. Also, software vulnerabilities, human error, security failures, and access to patient information are the primary represent critical vulnerabilities facing healthcare organizations in the US. The API sequence of ransomware and cryptographic key are effective strategies to reduce database vulnerabilities. Besides, healthcare organizations should strengthen the resilience of their cybersecurity infrastructure to ensure no permanent loss of patient data in the event of a cyberattack. Furthermore, Healthcare systems should protect patient information from cyberattacks as per the stipulations of existing regulations. Reducing vulnerabilities within the healthcare sector's digital systems protects the patients' rights and alleviates disruptions of organizational processes.