The infrastructure underpinning the foundations of healthcare systems around the world are becoming increasingly digital which opens them up to cyber attacks of many different forms - ransomware, phishing, account takeovers (AOT), and more. These attacks significantly impede the ability of health providers to offer critical, lifesaving services.
The past few years have seen a significant increase in the number of cyberattacks on the digital infrastructure of nearly every sector, with the average cost of a data breach amounting to roughly $4.3 million per incident. That figure rises even higher in the health sector, where the average cost is about $10.1 million per data breach. Health organizations dealt with approximately 1,463 cyberattacks per week in 2022, globally, which was up a whopping 74% from the previous year. In the US, that figure was 86%. This uptick in cyberattacks shows no signs of slowing down. Instead, it is significantly increasing.
The massive attack on CommonSpirit Health systems in the US cost the company about $150 million, according to the non-profit. But it is the direct effects on human lives that are most troubling. A thee-year-old boy was given five times the prescribed dosage of medicine because of the cyberattack on the hospital's system, and in another state, the death of a baby was also attributed to a cyberattack because doctors were unable to perform critical pre-birth checks. In Germany, a patient died while being transported to a different hospital because the facility closest to her was closed to due a cyberattack.
Unfortunately, the increased frequency and severity of cyberattacks are likely to continue. Emerging technologies, most notably Artificial Intelligence (AI), make it easier to create, launch, and scale high-quality cyberattacks. Recent research has shown that Large Language Models, a type of AI used to mimic human writing, can deceive users into committing actions that hurt themselves or their organization. For example, an LLM can deceive employees into sharing sensitive information or granting attackers access to sensitive systems. Previously, these attacks required the hacker to speak the same language as the user, have a flair for persuasion, and understand the target’s IT system. Now, the attacks can be automated and launched by anyone. We face a troubling situation: cyberattacks are becoming easier to launch and more potent while our reliance on technology is increasing.
For this reason, the institute has created a new stream of research focused on cybersecurity and health, to better understand the potential harms that these advanced technologies can have on our healthcare systems and organizations, and to develop mitigating solutions, in collaboration with our partners across the public and private sectors, academia, and civil society.