Ransomware attacks on the health sector are a national security problem

Half a century ago, selling non-medical technology to hospitals was a tough job. In 1970, only 40 per cent of US hospitals had computer systems. Physicians often expressed a fear that computers were cumbersome and unreliable, doing more harm than good. Yet the arguments for adoption were obvious enough. Back then, up to a third of the average American hospital bill was attributable to inefficient information handling, and the US public health agency complained as many as half of hospital chemistry tests were inaccurate because of “pencil and paper” errors like messy handwriting and shoddy arithmetic. The digitalisation of the medical sector since then is one of the greatest advancements in health care of the past century; computer systems are a critical component of modern hospitals around the world. But with new capabilities come new vulnerabilities. Hospitals, by way of their computer systems, have in recent years become the targets of crime. One common form, the ransomware attack, involves criminal gangs hacking into hospital records to steal private patient data and threatening to release it if they don’t receive payment. An investigation by The National published this week lays bare the activities of one such group based in Russia, known as Qilin. Qilin has carried out dozens of ransomware attacks around the world in just the past two years. Many of the targets are in the healthcare sector. Cyber security is an increasingly difficult task, and preventative cyber security is an almost Sisyphean one. Hacks and data breaches are becoming almost par for the course for any organisation with reputation and a computer – from utility companies in Serbia to banks in Bangladesh. If a system is upgraded, it is usually a matter of time before hackers find a workaround. The “internet of things” – the growing prevalence of everyday objects endowed with a WiFi signal – only raises the number of access routes for cyber criminals into our lives. Hospitals are a uniquely attractive target because the victims, sick patients, are especially vulnerable and their data especially intimate. And the consequences can go far beyond data protection; an attack on a pathology services firm in the UK in January led to cancer patients having their surgeries delayed. The ruthlessness of these kinds of attacks led one former FBI counter-terrorism leader to tell The National they should be classified as “a form of terrorism”. Taking a national-security approach towards healthcare cyber attacks may be warranted. Hospitals and even many medical service providers could reasonably be considered part of a country’s critical infrastructure; when their operations are compromised, the impact can be wide-ranging and deadly. That means governments should be pro-active in protecting them and devote sufficient investment in their cyber security, with comparable priority to any other vital national asset. But measures should be taken to make the private healthcare sector more resilient, too. Companies must foster a culture of patient care extending to patient data, and an understanding that powerful software is just as important as fancy hardware, even if donors and patients never see it. They must also include cyber-security staff in their payroll, if they haven’t already, and train medical staff in basic IT security awareness. The UAE is a leading nation in implementing cyber-security controls, particularly with the Cyber Security Council setting up partnerships to enhance resilience across the healthcare sector. Abu Dhabi’s Department of Health implements an "Abu Dhabi Healthcare information and Cyber Security Standard" across all healthcare entities, with clear mandates. Long gone are the days when healthcare professionals feared computers. It is right to ensure those days never return.