Hackers Take Gloves Off In Attacking Health Care

It often begins with an innocent looking email, maybe from HR or the finance department. A link takes employees to a familiar-looking login page where they are asked to sign-in with their official username and password. When they hit enter – Presto!, the thieves now have entrée to the company’s system, where they can prowl around, inserting malware and ransomware to disrupt, hijack or cripple the system.

It is estimated that about 3.4 billion malicious emails are sent around the world each day. And while the vast majority end up in spam folders, it only takes a single successful phishing expedition to cause trouble. The organization I lead, Michigan Medicine, suffered such an attack last year when four employees typed their login credentials into a bogus website. We discovered and contained the breach quickly and, while some health records were presumed compromised, it does not appear that the goal was to obtain personal patient information.

Since I began leading Michigan Medicine in 2016, cybersecurity has become an ever more pressing concern for me as well as my colleagues at hospitals across the country. Ransomware attacks against health care systems – in which thieves take control of data and only release it for a price – have reportedly doubled since 2016. This problem is not limited to health care; schools, governments, energy systems, corporations and even farmers are attacked. But the U.S. Department of Health and Human Services has reported that hospitals are the most lucrative targets, consistently incurring the highest cost for data breaches.

Cyberattacks illustrate the great promise and peril of technology. As it has enabled caregivers to improve patient outcomes, it has also made us more vulnerable. A connected world offers many advantages, but it offers entrée to the good and bad alike.

The increase in cyberattacks is a reflection of our increasingly unstable geopolitical climate. Many data thieves live and operate abroad, especially in eastern Europe and Russia. For years, there was a tacit understanding between these rogue outfits and their governments that critical infrastructure – including elections, food, water and energy supplies and health care – were off limits. Hackers who went after these assets could face the wrath of their nation-state protectors.

Anyone following the news knows these guard rails have been dismantled in recent years as America’s election systems, pipelines and health care systems have come under vigorous attack. A 2020 HHS survey found that 70 percent of hospitals had experienced a “significant security incident” during the previous year. A study published in 2023 found that 44 percent of these attacks impacted the delivery of care. One Alabama hospital reports that a ransomware attack may have caused a baby’s death, when caregivers failed to see a change in its fetal heart rate because an attack has disabled some computer systems used to monitor care.

This is heartbreaking. But, it’s important to note that most hackers are not interested in crippling care or even publicizing personal medical information. Health care is especially attractive for those seeking to steal identities, because it is highly organized and detailed. Knowing not just someone’s name, address and credit card information, but the names of their family members is gold to scammers.

In many ransomware attacks, they kidnap data in order to sell it back at a price – disruption of service often occurs while the terms are being negotiated. One irony of this new environment is that it depends in many ways on trust: the victims must be confident that the thieves will deliver on their promises to return the stolen information. This has led to the emergence of expert negotiators who know which thieves can and cannot be counted on. It sounds crazy, but it is also the state of play.

There is no quick and easy and fix. But I am confident that we can provide more protection by recognizing that a system-wide requires a system-wide response. Currently, most efforts are local. Individual hospitals invest in advanced network security to protect their data and work to educate their employees about how to spot and report phishing attacks.

Even as we devote more resources to protecting our data, hospitals must do more to share information about emerging threats and collaborate on our responses. For too long, a cloak of secrecy has covered most discussion of this issue. It is, frankly, embarrassing to admit your organization has been hacked, which can carry reputational damage. But sweeping the problem under the rug will only make it worse.

I am proud to say that my state of Michigan has been a leader in the effort to foster more transparency and collaboration. Since it was established in 2017, The Michigan HC Cybersecurity Council, a non-profit, public-private partnership, has brought together a wide array of stakeholders to pool knowledge and educate caregivers, patients and the public about this challenge.

Cybersecurity is an issue that affects everyone. For too long, however, too many organizations have pursued a go-it-alone approach. We need to recognize that there is safety in numbers.

Marschall S. Runge, MD, PhD, is Executive Vice President for Medical Affairs and Dean of the Medical School for the University of Michigan.  He serves on the Board of Directors for Eli Lilly and Company.