• A study of healthcare cyberattacks in over 30 countries shows the scale of the rising threat.
  • Ransomware attacks dominate the broadening scope of threats to healthcare providers.
  • More action is needed from actors in the sector, cybersecurity firms and governments to ensure access to healthcare.

It’s hard to imagine anything more cynical than holding a hospital to ransom, but that is exactly what’s happening with growing frequency. The healthcare sector is a popular target for cybercriminals. Unscrupulous attackers want data they can sell or use for blackmail, but their actions are putting lives at risk. A cyberattack on healthcare is more than an attack on computers. It is an attack on vulnerable people and the people who are involved in their care; this is well illustrated by the breadth of healthcare organizations, from hospitals to mental health facilities to pharmaceutical companies and diagnostic centres, targeted between June 2020 and September 2021.

Cyberattacks on healthcare have continued to plague the sector since the start of the COVID-19 pandemic. At the CyberPeace Institute, we have analyzed data on over 235 cyberattacks (excluding data breaches) against the healthcare sector across 33 countries. While this is a mere fraction of the full scale of such attacks, it provides an important indicator of the rising negative trend and its implications for access to critical care.

Over 10 million records have been stolen, of every type, including social security numbers, patient medical records, financial data, HIV test results and private details of medical donors. On average, 155,000 records are breached during an attack on the sector, and the number can be far higher, with some incidents reporting the breach of over 3 million records.

Poor bill of health

Ransomware attacks on the sector, where threat actors lock IT systems and demand payment to unlock them, have a direct impact on people. Patient care services are particularly vulnerable; their high dependence on technology combined with the critical nature of their daily operations means that ransomware attacks endanger lives. Imagine being in an ambulance that is diverted because a cyberattack has caused chaos at your local emergency department. This is not a hypothetical situation. We found that 15% of ransomware attacks led to patients being redirected to other facilities, 20% caused appointment cancellations, and some services were disrupted for nearly four months.

Ransomware attacks on the sector occurred at a rate of four incidents per week in the first half of 2021, and we know this is just the tip of the iceberg, as there is a significant absence of public reporting and available data in many regions. Threat actors are becoming more ruthless, often copying the data, and threatening to release it online unless they receive further payment.

Health records are low-risk, high reward targets for cybercriminals – each record can fetch a high value on the underground market, and there is little chance of those responsible being caught. Criminal groups operate across a wide range of jurisdictions and regularly update their methods, yet we continue to see that attackers act with impunity.

Incidents over time by healthcare sub-sector
Incidents over time by healthcare sub-sector
Image: CyberPeace Institute

Securing the right to healthcare

We can, and should, be doing better. The first step is with cybersecurity itself. Healthcare cybersecurity suffers from a general lack of human resources. More people need to be trained and deployed.

Software and security tools need to be secure by design. This means putting security considerations at the centre of the product, from the very beginning. Too often security options are added as a final step, which means they paper over inherent weaknesses and loopholes.

Healthcare organizations should also do more, particularly increasing their investment in cybersecurity to secure infrastructure, patch vulnerabilities and update systems, as well as building and maintaining the required level of cybersecurity awareness-raising and training of staff. Healthcare organizations also need to commit to due diligence and standard rules of incident handling.

But these matters are ultimately too big for individual organizations to solve alone. Governments must take proactive steps to protect the healthcare sector. They must raise the capacity of their national law enforcement agencies and judiciary to act in the event of extraterritorial cases so that threat actors are held to account. This requires the political will and international cooperation of governments, including for investigation and prosecution of threat actors.

One point of real concern from our analysis is that information about cyberattacks, such as ransomware incidents, is inadequate due to under-reporting and lack of documentation of attacks. Thus it is impossible to have a global view of the extent of cyberattacks against the healthcare sector. To build even a partial picture of such attacks meant us accessing and aggregating the data that ransomware operators – the criminals – publish or leak online.

It is not acceptable that they are the significant source of information relating to cyber incidents and threats posed to the sector. We want to shift away from data published by or from malicious actors and encourage stronger reporting and transparency relating to cyberattacks by the healthcare sector to improve both the understanding of the threat and the ability to take appropriate action to reduce it.

Our analysis shows that 69% of countries for which we have recorded attacks have classified health as critical infrastructure. Healthcare must be recognized as critical infrastructure globally. Designation as critical infrastructure would ensure that the sector is part of national policies and plans to strengthen and maintain its functioning as critical to public health and safety.

Governments must enforce existing laws and norms of behaviour to crack down on threat actors. They should cooperate with each other to ensure that these laws are put into operation in order to tackle criminals that operate without borders. More should be done to technically attribute cyberattacks to identify which actors have carried out and/or enabled the attack.

Health is a fundamental human right. It is the responsibility of governments to lead the way in protecting healthcare. People need access to reliable, safe healthcare, and they should be able to access it without worrying about their privacy, safety and security.

What is the World Economic Forum doing on cybersecurity

The World Economic Forum's Centre for Cybersecurity is leading the global response to address systemic cybersecurity challenges and improve digital trust. We are an independent and impartial global platform committed to fostering international dialogues and collaboration on cybersecurity in the public and private sectors. We bridge the gap between cybersecurity experts and decision makers at the highest levels to reinforce the importance of cybersecurity as a key strategic priority.

Our community has three key priorities:

Strengthening Global Cooperation - to increase global cooperation between public and private stakeholders to foster a collective response to cybercrime and address key security challenges posed by barriers to cooperation.

Understanding Future Networks and Technology - to identify cybersecurity challenges and opportunities posed by new technologies, and accelerate forward-looking solutions.

Building Cyber Resilience - to develop and amplify scalable solutions to accelerate the adoption of best practices and increase cyber resilience.

Initiatives include building a partnership to address the global cyber enforcement gap through improving the efficiency and effectiveness of public-private collaboration in cybercrime investigations; equipping business decision makers and cybersecurity leaders with the tools necessary to govern cyber risks, protect business assets and investments from the impact of cyber-attacks; and enhancing cyber resilience across key industry sectors such as electricity, aviation and oil & gas. We also promote mission aligned initiatives championed by our partner organizations.

The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace which aims to ensure digital peace and security which encourages signatories to protect individuals and infrastructure, to protect intellectual property, to cooperate in defense, and refrain from doing harm.

For more information, please contact us.

We hope there is global recognition that the status quo is unacceptable and that we can all do more to prevent cyberattacks against healthcare, protect the victims of such attacks, and hold perpetrators to account.