Anyone who works in the healthcare industry knows how reliant hospitals are on technology. From electronic records-keeping to IV pumps to vital sign monitors, the majority of care is influenced in some way by machines. So, when technology goes awry things take a turn for the worse very quickly.
At Rouen, France’s University Hospital Centre (CHU), that nightmare became a reality on Friday. Hackers reportedly mounted a cyberattack against the hospital’s computers, leaving them useless. Staff was forced to start doing things by hand with pen and paper while the attack was sorted out. Fortunately, no patients were harmed. However, the incident serves as a terrific reminder of the fragility of hospital cybersecurity and the fact that it needs to be addressed.
Denial of Care Attack
Friday’s cyberattack involved an undisclosed form of ransomware which locked hospital workers out of all computer systems and files, including patient records, appointments, and digital prescriptions. For the 1,300-bed hospital, the attack caused operations to leap back into an era before computers.
Rather than giving in to the hackers and paying a ransom, staff continued to provide care while managing record-keeping via telephone and handwritten notes and charts. While the attack did cause “very long delays in care,” CHU reports that no information has been identified as missing.
The French national cybercrime agency, ANSSI, stepped in to manage the attack. It slowly restored access to the hospital’s digital infrastructure and ensured that all machines were cleaned of the virus. Fortunately, all CHU systems should be back in full working order by this weekend. Meanwhile, French police have launched an investigation into who is behind the cyberattack.
Unfortunately, many hackers see hospitals as something other than a place of refuge for the sick and injured; they see them as a gold mine. Since hospital computer systems hold sensitive patient information, to which access is often vital, ransomware attacks can be highly lucrative. Hospitals don’t often have the ability to simply deny a ransom like CHU did.
For the French facility, if patients needed urgent treatment while the system was on lockdown, they could be transported to another nearby hospital. When a different hospital isn’t within close vicinity, however, that option is off the table. This leaves many healthcare organizations with no choice but to pay up.
Sadly, that only reinforces the idea that hospitals are a favorable target for ransomware attacks. This, coupled with cybersecurity that is often outdated, means that the global healthcare industry is facing a huge—yet often undiscussed—crisis. With patients’ lives at stake, hospitals must do a better job of increasing their cybersecurity. Otherwise, attacks like the one on CHU could start becoming a global trend.