Cyberattacks against health care facilities and public health researchers have nearly doubled amid the coronavirus pandemic, according to new data.
The statistics provided to Digital Trends by cybersecurity firm Infosec and compiled from the U.S. Department of Health and Human Services show there have been 127 breaches of U.S. hospitals and health care systems from February 1 through May 18 in 2020.
That’s a nearly 50% increase from the 66 breaches during the same span of time in 2019. The cybersecurity firm Bitdefender also noted a 60% increase in breaches from February to March of this year.
The Red Cross says it has seen an increase in cyberattacks on health care facilities and hospitals since the start of the COVID-19 pandemic.
The Red Cross released an open letter yesterday, first reported by Reuters, that was signed by 48 politicians and dignitaries from around the world calling for governments to protect health care systems and hospitals from attacks.
“Over the past two months there has been one attack every three days on healthcare entities,” said Stéphane Duguin, Chief Executive Officer of the CyberPeace Institute, in a statement to Digital Trends. CyberPeace released the letter jointly with the Red Cross. “Today’s call is aimed not only at attacks but also for more robust state-sponsored response.”
Recent weeks have seen cyberattacks hit health care centers in the Czech Republic, France, Spain, Thailand, Australia, and the United States, as well as international organizations such as the World Health Organization, the Red Cross said in a statement. The Red Cross also said it “recorded more than 200 physical incidents of violence against health workers and facilities linked to Covid-19 across more than 13 countries since the beginning of the pandemic.”
The HHS saw its own attack in March of this year, according to Bloomberg.
Health care systems have historically been easy targets for hackers. According to Verizon’s most recent Data Breach Investigation Report, the health care industry reported the highest number of actual breaches in 2019: A total of 521, up from 304 in 2018.
There’s always a large amount of high-value data like credit card and social security numbers, birthdates, and addresses inside hospitals’ vulnerable systems. Historically, hospitals have not operated with a high degree of cybersecurity or security awareness training, a spokesperson for Infosec told Digital Trends. In general, hospitals and other medical institutions, like research firms, are considered very soft targets due to their lack of security, said Chris Kennedy, chief information security office of AttackIQ, a cybersecurity firm.
“You’ve got these legacy operating systems that are often very antiquated and internet capable, and that places them at a high risk of exploitation,” Kennedy told Digital Trends. “It’s a big deal to upgrade them, so they become the soft underbelly of an organization that gets attacked.”
In the past, hospitals have also paid out ransoms to get back crucial medical information that hackers have stolen.
“Think about the rules of war. There are bounds defined by the Geneva Convention that define the rules of war,” said Kennedy. “That doesn’t exist in cyberspace. Here we are in middle of global pandemic, it’s safe to assure there are state sponsored actors and terrorists thinking about ways they can induced further terror, as a way to capitalize on this opportunity.”
“We know cybercriminals will always try to profit in times of anxiety and fear — when people are most vulnerable,” the Infosec spokesperson said. “Cybercrime will surely have a banner year in 2020.”