Cyber Security - Now a Matter of Life or Death
No longer just simply a matter of monetary, reputational, and litigious ramifications, cyber-attacks have demonstrated their ability to claim human lives, catapulting cyber security’s importance to centre stage. Cyberattacks and cybersecurity inaction within any industry will cause some form of damage but in the healthcare sector, the enhanced risk is to all patients and their lives. In 2021, approximately half of all global hospitals faced an IT shutdown in the first half of the year and cyberattacks on the healthcare sector only continued to spike in 2022, evidently a targeted sector.
Before delving into this further, it’s integral to caveat that presently it is difficult to directly attribute cyberattacks to hospital deaths due to a variety of extenuating factors and due to the notion, that deaths can occur later, albeit weeks or months following an interruption in care. Moreover, it is a relatively new field of study, underrepresented in academic literature, therefore, according to the qualitative evidence, it is likely too soon to confidently suggest that ransomware directly causes severe outcomes. Nonetheless, given cyberattacks’ recent trajectory and the increasing use of such in warfare, we argue that it is already at a level of criticality and even one death is too many.
Healthcare sectors are targeted for various reasons, specifically, data related to medical records could well retain or increase in value over time. Additionally, hospitals have broad attack surfaces, typically under-resourced and underfunded means cybersecurity is deprioritized enhancing the ease with which to gain access. Aiding this is the lucrative nature of theft of medical identity documents rather than credit card fraud, it can sometimes be years before patients or providers have recognized that medical data theft has taken place. While data theft is of considerable concern, we shift focus to the impact that cyberattacks can have on one’s life.
Notwithstanding the impacts of the global Covid-19 pandemic on cybersecurity, a 2021 study from Proofpoint and the Ponemon institute found after analysis of 600 healthcare facilities that mortality rates increased at 150 of the sites following a ransomware attack. More specifically, cyber-attacks can target and subsequently cause longer hospital stays, and delay procedures and tests with 57% of those surveyed noting that this led to poorer patient outcomes and 50% finding increased complications for their patients following medical procedures.
The Impacts –
In Germany, a hospital in Dusseldorf in 2020 faced a ransomware attack, for the hospital to shut its emergency department causing a patient to be rerouted to various hospitals across the city. As a result, a patient died. Following an in-depth investigation, it was detailed that the outcome for the patient would have been identical regardless of the ransomware attack, however, it demonstrated that it is merely a matter of time before ramifications of attacks like this cause far more significant damage. Furthermore, in 2020, a woman sued an Alabama hospital after it faced a cyberattack. The woman alleged that doctors failed to perform critical pre-birth testing while the hospital was responding to the cyberattack, causing her baby to be born with the umbilical cord wrapped around the newborn’s neck. In turn, the baby was left with brain damage, and a few months later, passed away. At a local scale, the outcome is already evident but the ability to weaponize this in cyberwarfare can have far more devastating consequences. In a scenario where a malicious actor can take out an entire hospital network, particularly in war zones, patient death tolls will drastically increase.
Previously, scholars such as Lewis (2022) have argued that cyber-attacks typically are not an important consideration in comparison to kinetic weapons because they have never resulted in deaths and cannot assure ‘destruction’. We argue that empirical evidence suggests that this is no longer true. Academics and policymakers alike need to ensure that cybersecurity does not remain a deprioritized issue, especially in the healthcare sector. As John Riggi, the national adviser for cybersecurity and risk at the American Hospital Association states it is time “to view these types of attacks, ransomware attacks on hospitals, as threat-to-life crimes, not financial crimes.”
We demonstrate that Cyber Security’s role in Political Economics will only increase. Its expansion into conflicts, potential to disrupt markets and plummet stock prices, alter election outcomes, and now pose a threat to life - makes cyber security all the more serious.
As the Internet of Things (IoT) Increases so does the attack surface, so what should we do?
While the quantum computing era is still in its slow and steady phase, we may find answers here on how to improve the healthcare sector’s cybersecurity maturity, at least in terms of securing data and reducing digital medical theft. The development of “quantum-safe” structures are integral to ensuring data security and integrity for essential applications and infrastructure. As well as thorough securitization of essential networks such as heart monitors, refrigerators, and outlets used in health care sectors.
