Why is the healthcare industry still so bad at cybersecurity?

Many articles about cybersecurity risks in healthcare begin with descriptions of live simulations (so when in Rome). Imagine a doctor completely unaware of what they’re walking into triaging two patients: one in need of a hospital cardiac catheterization lab after an irregular electrocardiogram (EKG) reading, the other suffering from a stroke and needing a CT scan. All systems are down due to ransomware, so the physician working through the scenario can’t access electronic health records or use any of the assessment methods modern medicine is so reliant on. So, what to do?

There are all kinds of scary scenarios like this that become possible when a hospital or other healthcare provider gets pwned. And the health industry has consistently been getting pwned as of late. In 2019, health organizations continued to get hit with data breaches and ransomware attacks, costing the sector an estimated $ 4 billion. Five US healthcare organizations reported ransomware attacks in a single week last June. A Michigan medical practice closed last spring after refusing to pay ransomware to attackers. And in 2018, when comparing a range of work sectors that included education, healthcare, general professions, and finance, healthcare entities’ portion of all breaches and security incidents was at 41 percent—the highest percentage of any sector. The attacks are even becoming more severe and more sophisticated, too.

It’s not hard to imagine other modern nightmares like the EKG swap above. For example, malfunctioning pacemakers could lead to patients experiencing shocks they don’t need, or blood type databases could get switched and cause chaos due to an integrity attack. All four of these scenarios were in fact conducted during the two latest CyberMed Summits, a conference founded in the aftermath of 2017’s WannaCry attacks. “The world’s only clinically-oriented health-care cybersecurity conference” now annually brings together physicians, security researchers, medical device manufacturers, healthcare administrators, and policymakers in order to highlight and hopefully address vulnerabilities in medical technology.