Cyber Incident Tracer #Health — a human-centric data-driven platform
Not a month goes by without a cyberattack on a healthcare organization somewhere in the world. The reporting and documentation of these incidents is lagging behind. Without both of these components, as a society, we are unable to:
- Understand the true scale and scope of the problem at hand,
- Measure the harm that these attacks cause to individuals, communities and society,
- Develop appropriate responses to reduce the threat.
Six months after launching the Cyber Incident Tracer #Health (CIT #Health) we, at the CyberPeace Institute, have taken significant steps to shrink this knowledge gap by documenting attacks on the sector. Through this article we aim to provide a snapshot into what the data shows and why closer attention needs to be paid to the harm cyberattacks have on people.
Why did we create a Cyber Incident Tracer?
In the midst of a global pandemic, the healthcare sector has been under significant threat, not just from the increasing pressures on its staff and organizations to maintain critical services at a time of increased demand but due to malicious actors targeting the sector for financial and informational gain.
As the CyberPeace Institute sought to capture and evidence the harm of these attacks on the sector, people and society, it noted a gap in the systematic collection of cyber incidents across the world. Without this data, we could only rely on anecdotal observations and reporting of isolated incidents to establish the who, what, when, why, where and how of the threat landscape. Building on this anecdotal research and the publication of “Playing with Lives: Cyberattacks on Healthcare are Attacks on People” the idea was born of creating a public repository and visual representation of cyber incidents on this sector and the impact that they have on people and organizations — a Cyber Incident Tracer.
An analysis of the data has enabled us to identify the harm caused by cyberattacks through the lens of some key questions.
Why does the healthcare sector matter?
Attacks on servers or systems in one country can have detrimental impacts on connected sites across the world.
An Indian pharmaceutical company was targeted by a ransomware attack a week after it began the final trials of a COVID-19 vaccine. Sites around the world were affected, including those in the UK, Brazil, India, Russia and the US. Reports indicated the production at some facilities in India was disrupted after the pharmaceutical company was forced to isolate impacted servers. The attackers published exfiltrated data online.
When we think of healthcare, we often think of hospitals and clinics but the healthcare sector is much broader. The CIT #Health allowed us to capture the variety of organizations within this sector that have fallen victim to cyberattacks. In 2021 alone we captured over 230 attacks on the sector — from medical specialists such as fertility clinics, cancer centers and blood services to pathology labs to medical manufacturers, biotech companies and pharmacies. Despite the exclusion of additional healthcare related entities / incidents due to resource constraints, such as dental practices, healthcare insurers and supply chain attacks on software providers and data storers, the breadth of organizations impacted with disruptive attacks such as ransomware is evident.
Visual 1: Cyberattacks on the healthcare sector by type of organization
Over the years the sector has grown to be increasingly dependent on technology to deliver its services to those in need. When the systems are hit, the services are impacted and the capacity to meet the needs of people is reduced.
During and following an attack, other organizations both locally and abroad are called in to maintain critical patient services.
A ransomware attack against New Zealand’s fifth-largest healthcare network, servicing 430,000 patients, forced its systems offline. Some surgeries had to be rescheduled and around 70 critical cancer patients were transferred to other hospitals, with considerations that they should be flown to Australia as a last resort. The attackers sent patient and staff data to media outlets and later published it online. Private clinics had to help with a backlog of over 200 elective surgeries, as well as thousands of outpatient appointments.
What does a cyberattack on the sector look like?
Keeping a human centric-approach in mind, the CyberPeace Institute aimed through the CIT #Health to go beyond business and financial measurements in order to document what impact incidents have on organizations and what harm these are causing to people and society. In order to do this we’ve focused on a number of key indicators.
Organization-centric indicators suggest that healthcare organizations attacked in 2021 suffered an average of 23 days of operational impact ranging anywhere from a matter of hours to 115 days. In 55% of all 231 incidents recorded, systems were reported as going offline and in 76% of incidents data was breached or exposed.
Communication channels between patients / customers and the organization providing health services are hindered as a result of cyber incidents.
A ransomware attack disrupted the computers of a diagnostic lab, forcing it to disconnect the affected networks for 17 days. At the time, the lab accounted for 5% of Belgium’s total COVID-19 test capacity. Many tests could not be conducted even in paper form, there were delays in reporting and telephone lines were overloaded as a result.
On the other hand, human-centric indicators allow us to relate cyber incidents to users of healthcare services and employees of those organizations. In the case of patient care services such as hospitals, clinics, medical specialists and mental health and substance abuse facilities there are two indicators which point to a worrying impact on patients. In 16% of incidents patients had to be redirected and in 19% of cases appointments had to be canceled.
An attack can lead to the infection of both primary and back-up servers leading to significant operational downtime as records are rendered entirely inaccessible.
A ransomware attack encrypted medical records of 85,000 patients at a 120-bed Japanese hospital, including backup systems. As a result, staff had to revert to pen and paper and stopped accepting new out-patients. The attack was discovered at 12:30am when printers began printing ransom notes. Both the main server and its backup server were infected with the virus. Employees were unable to access electronic patient records containing information such as patients’ names, ages, treatment and medicines they had been given. The hospital only resumed medical examinations in all 13 departments more than 2 months (66 days) after the incident was discovered.
What makes healthcare data particularly sensitive and valuable?
On average, 193,000 records were breached in a single incident in 2021 and this number has been as high as 2.4 million records. Although the numbers may be staggering, it is the content of these breached records that should raise alarm bells with all of us who at some point in our lives have used the services of healthcare organizations. Data in patient records range from standard Personal Identifiable Information (PII) such as names, dates of birth and address details all the way through to medical imagery, doctor’s notes, HIV status and treatment for substance abuse.
The impact caused by cyberattacks can be so far reaching that it leads to the permanent closure of healthcare organizations further unsettling patients who will need to adapt to new service providers.
Approximately 36,000 patient records, including juveniles, were stolen in a data breach at a Finnish psychotherapy clinic. These records contained highly sensitive personal data including records of therapy sessions of some of the most vulnerable in society as well as the healthcare professionals who treated them. Around 30,000 people are believed to have received the ransom demand; some 25,000 reported it to the police. A 10-gigabyte data file containing confidential notes of at least 2,000 patients and their therapists appeared on websites on the dark web. Following the attack the clinic, Vastaamo, filed for bankruptcy and ceased operations in March 2021.
Visual 2: Type of data breached in attacks on healthcare organizations sized according to frequency of occurrence
It is not just patient data that holds sensitive information but also that of employees who work for the organizations.
A threat actor published information of nearly 4,000 employees at a US-based manufacturer for advanced technology blood testing analyzers as part of a potential ransomware attack. Data leaked included social security numbers, dates of birth, age, hiring dates, contact details, emergency contact details, scanned documents, non-disclosure agreements, clinical core quotes and certificates of liability insurance
Healthcare information, landing in the wrong hands can have significant and long lasting implications for those whose records were breached. The psychological harm caused by a breach of data ranging from loss of trust in the healthcare system all the way through to fear and anxiety of one’s medical conditions or professional records being accessed by unknown entities has yet to be measured. The CyberPeace Institute is continuing to track cyberattacks on the healthcare sector and also currently developing a methodology for measuring the impact and harm of cyberattacks on people and society. If you are interested in contributing to this project please reach out to us at [email protected]
This blog was researched and written by Emma Raffray (Senior Cyber Data Analyst), with the support of the Analysis Team of the CyberPeace Institute.