Healthcare Cyberattacks Grew in 2022. How Should the Industry Combat Them?

Concerning data from cybersecurity firm Check Point indicates an increase in cyberattacks on healthcare organizations by 74% in 2022 from the previous year.

Healthcare is currently the third most attacked global industry (1,463 attacks per week) behind government/military (1,661 attacks per week) and education/research (2,314 attacks per week.) And in the United States, Healthcare ranks second in weekly attacks.

For example, with the growth of AI-driven technology, researchers and other security professionals worry hackers may use tools like ChatGPT to create phishing emails and launch other sophisticated cyberattacks.

One piece of potential good news for those working to protect healthcare institutions from cyberattacks is the recent passage of the bi-partisan PATCH Act, introduced by U.S. Senators Bill Cassidy, M.D. (R-LA) and Tammy Baldwin (D-WI) to provide much-needed security and safety measure for healthcare system’s cyber infrastructure. The bill passed without the inclusion of cybersecurity rules for medical device developers. Still, medical devices are susceptible to cyberattacks, and it is something the medical device development community should take seriously.

An expert in cybersecurity and VP of Cyber Safety Strategy for Claroty, Joshua Corman, weighed in on the rise of cyberattacks in healthcare and the efforts to combat them.

Joshua’s Thoughts

“For me, the passage of the PATCH Act has been at least a nine-year journey trying to argue that connected medical technologies need minimum cyber hygiene, just like cars needed seat belts and safety features. So it’s been building trust with the US Food and Drug Administration, helping inform their pre- and post-market guidance, but not backed by statute. There was a 2015 congressional task force for healthcare industry cybersecurity I served on, and ultimately during the pandemic under record-high ransomware attacks as well, we saw that disruption to healthcare tech from accidents and adversaries can precipitate loss of life. This was overdue and now we have it backed by law.

How can it help hospitals? Hospitals have a shared responsibility, both with how defensible and resilient the technology we procure and deploy is, to begin with, so our supply chain of medical devices and medical technologies, plus how well we secure them. Any hospital regardless of size or funding will now benefit from at least minimum cyber hygiene for the devices we procure and deploy, so we have a fighting chance of keeping them free from accidents and adversaries.

And why now? I think I would’ve preferred this nine years ago, but there has been growing recognition that we were prone, we were prey, and we just lacked predator interest. Over the last three years with record-high attacks on healthcare from ransomware and brazen criminal actors, degraded and delayed care affects patient outcomes and even mortality rates, and these protracted ransom attacks have been documented in part by my team at CISA to introduce delays sufficient to lead to loss of life. Congress has taken notice. The White House has taken notice, and there is finally political will to step up here and preserve the trust of the public in this technology.”