Are cyber attacks already causing casualties?
Few organizations today are spared from cyber threats, most often in the form of ransomware attacks. However, perhaps the strongest focus of malicious actors is healthcare, where increasingly frequent cyberattacks indicate that this sector is particularly attractive, probably due to the large amount of sensitive data that healthcare providers accumulate.
But apart from personal data violations and leaks, do the current attacks also affect the physical world, specifically health outcomes? The Ponemon Institute conducted a survey of more than 600 IT professionals in more than 100 healthcare institutions due to increasingly frequent attacks on OT (operational technology) – hardware and software that monitors or controls equipment, assets and processes. More than half of healthcare facilities included in the research were infected by ransomware in the last three years. As many as 2/3 of those surveyed claim that attacks have disrupted patient care, and 59% of them revealed that they have increased patient length of stay, straining resources. Most significantly, nearly one quarter said the the attacks led to an increased mortality rate in their facilities.
Although this is only a survey with no definite conclusions, the IT staff in healthcare institutions is certainly familiar with organizational processes, and their insights probably have some merit (although it is not entirely clear to what extent). If we take into account the growing digitization and use of Operational Technology devices in healthcare, it is safe to assume some patients are already suffering from worse healthcare due to cyberattacks, which ultimately leads to more deaths.
In a ransomware attack, hackers gain access to an organization's computer networks, lock data, and demand a ransom. Cyberattacks on healthcare facilities have become a real scourge in recent years, with 297 attacks reported last year alone, according to NBC News. It should be noted that not all attacks are reported to avoid anxiety among patients. It is well known that delays in healthcare affect mortality rates, and healthcare facilities are aware that cyber attacks cause delays.
While ransomware attacks are generally considered private criminal enterprises, some of the best hackers are those who work for governments. The Russian Conti gang behind the attack on the Irish National Health Service works for Russian intelligence, and the State Department has claimed ties to the Russian government. The US has also accused North Korea of Maui ransomware targeting US hospitals.
Gartner, a consultancy, predicted that by 2023, the financial impact of CPS (cyber-physical systems) attacks will reach over $50 billion, and by 2025, cyber attacks will involve successfully injuring and even killing people.
According to the Ponemon Institute survey cited above, it seems the year 2025 from Gartner's predictions is already upon us.