Surgeons Need to Engage in Battle against Cyberattacks

Cyberattacks on healthcare organizations, including hospital systems, clinics, blood banks, and health insurers, are part of an alarmingly rising trend that has contributed to the vulnerability of healthcare networks and operations and caused substantial financial losses.

These attacks also significantly disrupt patient care, causing delays in treatment, disabling entire hospital networks, compromising sensitive medical data, crippling health insurance payment systems, diverting ambulances, and, most importantly, putting patients at risk.

“The main motive of the attackers is to get money, usually through ransomware,” said Greg Young, vice president of cybersecurity and corporate development at a global cybersecurity company based in Irving, Texas. He added, though, that the impact of these data breaches often reaches far beyond just a hit on the target’s bottom line through ransom payments, reputational loss, and legal fees.

As leaders in the hospitals, surgeons have significant influence over the culture of the organization, especially daily practices, and this includes best practices related to cybersecurity. As a result, surgeons need to champion best practices when it comes to battling cyberattacks.

Cyberattacks can jeopardize patient safety and care delivery. Losing access to medical records and lifesaving medical devices, due to ransomware, could hinder a healthcare organization from effectively caring for patients. Cyber terrorists also could accidentally or intentionally alter data in patient records or medical images, which could threaten patient health. This criminal activity could interfere with medical equipment during a procedure and immediately jeopardize a patient’s life.¹

A 2024 survey showed that after a cyberattack, healthcare was more likely than other targets to experience a change in senior leadership (21% for hospitals versus 13% for others) or be the target of a related lawsuit (19% versus 13%).² These changes in leadership typically are associated with information technology (IT) leaders, “even if it’s not their fault,” Young said.

This turnover—losing leaders who know the organization and how to protect it—can weaken the cybersecurity of healthcare organizations. Since each hospital operates differently, institutional knowledge is important to strengthen cybersecurity efforts.

Rise in Severity, Frequency of Cyberattacks

In 2024, more than 8 out of 10 healthcare organizations reported a cyberattack, up from 2023, according to two cybersecurity industry reports.^1,2 (See the sidebar "Major Cyberattacks on Healthcare Organizations in 2024" for examples of major cyberattacks on healthcare organizations in the news last year.^3-6)

One cyberattack that didn’t receive as much attention from the mainstream media, but definitely captured the interest of healthcare providers across the US, was a ransomware attack on a south Florida blood bank in July 2024 that led to blood product shortages and delayed surgeries.

Hospital transfusion teams in the area learned that the region’s major blood supplier was hit by a ransomware attack from a nonstate Russian actor, said Enrique Ginzburg, MD, FACS, a trauma surgeon from the University of Miami Miller School of Medicine in Florida. The primary impact, due to computer software malfunction, was the ability to label the blood products for distribution.

“The first 72 hours were really touch and go,” Dr. Ginzburg said. “There had to be a lot of coordination between hospitals. A lot of the community hospitals stopped their surgical schedules.”

The event created a statewide crisis of blood product shortage, especially platelets. The incident resulted in new transfusion policies and procedures at his organization to help prevent future cyberattacks. (To learn more about this attack, read the October 2024 Bulletin article, “Cybersecurity Attack on South Florida Hospital System Leads to Valuable Lessons Learned.”)

Why Healthcare Organizations Are Targets

“Hospitals have become a major target for cyberattacks because they are labor-intensive organizations using highly regulated digital assets, such as insulin pumps and heart rate monitors, with numerous interactions between busy individuals, who may or may not know each other,” said Dirk Schrader, vice president of security research at a cybersecurity company in Frisco, Texas. Add to that the healthcare industry’s “chronic underfunding of cybersecurity.”⁷

“From an attacker’s mindset, that’s the perfect storm,” Schrader said.

Other reasons why healthcare organizations are especially vulnerable to cyberattacks, the following:

Patient data are valuable. Healthcare organizations are lucrative targets for cyberattacks because they possess a wealth of information, specifically patient data, with high monetary and intelligence value.

“So much private information makes it a rich environment,” Young said.

The targeted data include patients’ protected health information, financial information like credit card and bank account numbers, personally identifying information such as Social Security numbers, and intellectual property related to medical research and innovation.⁸

“A patient data record is worth 50 times more than a payment card dataset because of what you can do with it,” Schrader said.

Aside from the valuable personal information, these data also can be used to launch other cyberattacks or conduct insurance fraud. 

Healthcare organizations are uniquely vulnerable. Internet-connected medical devices, legacy technology systems, and patient data breaches may contribute to the risk of cyberattacks as a result of weak access controls.⁹ The urgency of interactions between healthcare employees also contributes to that vulnerability, as does the fact that many employees don’t know each other due to frequent changes in personnel from turnover, medical student rotations, mergers, and other factors.

The rapid trend toward electronic health records (EHRs) and health technology, which have numerous potential entry points, has made patient data and devices much more susceptible than they were previously. In addition to EHRs, targets include myriad endpoints, many of which have wired or wireless connections to the internet, such as patient devices (e.g., glucometers, pacemakers), hospital devices (e.g., infusion pumps, MRI scanners), medication dispensing systems, laboratory systems, and anesthesia systems. Since these devices often need to be accessible, they are typically left in hallways and patient rooms, which means they are not always secure, according to Young.⁹

“There are so many different kinds of technology, and sometimes compliance requirements require older technology to stay around longer than it should,” Young said, adding that these older models typically lack the latest electronic security measures.

The number and variety of medical devices allow the attacker to move from one type of device to the other, making it hard to pin them down and root them out. If the breach is found in one device, the attacker may still have a foothold in another, Young explained.

“Because of this complex IT environment, it’s very easy for ransomware attackers to move laterally,” he said.

Since healthcare organizations focus on patient care, cybersecurity protection often is not prioritized. “When I visit hospitals, too often the IT and security departments are in the basement. Although that’s changing, it’s the legacy of why healthcare is so vulnerable,” Young said.

Common Cyber Threats Faced by Hospitals

Of all the modes of cyberattack that target healthcare organizations, ransomware is the most common. Other forms of cyberattack, such as phishing, are simply the opening gambit in a ransomware attack.

“If you’re going to get hurt today, almost certainly it’s going to be ransomware,” Young said.

Ransomware encrypts files, making them inaccessible. The attacker then demands a ransom from the victim to decrypt and restore access to the data upon payment. EHRs and medical imaging systems are particularly vulnerable to ransomware attacks due to the critical nature of their data.

But cyberthieves have taken ransomware to new levels in recent years, especially against healthcare organizations, which is what cybersecurity analysts call the “triple play,” Schrader said.

The first action is to encrypt the data and ask for a ransom to decrypt. The second action is to extract data and threaten to publish or sell the data on the black market. Finally, some attackers threaten to go after the patients who were included in the data.

“We have encrypted your data, we’ve exfiltrated the data, and now we’re targeting your patients,” Schrader said. “That’s the triple play.”

Another common threat to healthcare is phishing, which misleads or deceives people into giving away sensitive information. The attacker crafts a fake email that appears legitimate, often with the assistance of artificial intelligence (AI) and language models. The information may be sold or used to commit identity theft.¹⁰

“Phishing is almost always an entry into a ransomware or other attack,” Young said.

This type of attack has become more sophisticated. Rather than a general “spray and pray” approach, the phishing attempt may target a healthcare executive to get them to transfer funds or send information.

Hospitals are especially vulnerable to phishing because hospital workers regularly communicate with many people they do not know personally, such as patients, laboratory assistants, external auditors, other physicians, radiology experts, medical students, residents, and so on.

Humans Are Weakest Link

Because cybersecurity awareness among healthcare personnel is low, human behavior is widely considered the most common initial attack vector or entry point in any cybersecurity system. As a result, that’s often where attacks start in a healthcare organization.

An employee may accidentally send an email with patient data to the wrong recipient or put sensitive information on an exposed server or on a laptop that is lost or stolen. Attackers frequently exploit user errors like clicking malicious links in phishing emails, using weak passwords, or neglecting security updates to gain access to systems. Typically, these incidents are accidents involving poor data handling, but occasionally a disgruntled worker may purposefully expose sensitive information to hurt their employer, Schrader said.

Aside from the human factor, there has been an explosion in wired and wireless devices used daily in the care of patients, called Internet of Things (IoT) devices: ventilators, anesthetic machines, infusion pumps, pacing devices, organ support, and several monitoring modalities. This exponential increase in IoT and the increasing wireless connectivity of anesthesia, as well as ICU and implantable devices, make them vulnerable to attack.⁷

Medical imaging is a vulnerable point for many healthcare organizations. More than 2,500 hospitals have picture archiving and communication (PAC) systems that are connected to the internet, Schrader said. Research from his firm shows about 15% of these PAC systems are completely unprotected.

“They are open for anyone to see the patient data, to see the images, to see names, dates of birth, and in some cases, Social Security numbers,” he shared.

One of the possible scenarios is when an attacker has access to the radiology data, they claim to have altered the images and show the hospital what they’ve done by sending an original and altered image of a patient scan. This could wreak havoc on patient care, especially surgery.

“As a surgeon, do you take the risk and perform surgeries the next day in such a scenario even though patient safety might be at risk?” asked Schrader.

In addition, clinicians increasingly rely on digital and technological capabilities to improve, augment, or enable procedures and operations, and these devices also vulnerable to cyberattack. For example, research has shown that surgical robots are complex systems with many potential vulnerabilities that could be hacked. A cyberattack during a procedure could cause significant physical harm to the patient.¹¹

How Surgeons Can Help Protect Hospitals, Patients

Surgeons can strengthen their organization’s cybersecurity by understanding their role as active users of sensitive data and systems, adopting best practices around recognizing phishing attempts and using strong passwords, and avoiding unauthorized devices or unsecured networks.

Since surgeons often need access to sensitive information on short notice, they are considered to be “super users” of data and technology, Young said. As a result, surgeons are key players in cybersecurity and must be especially vigilant about protecting data and technology.

Defining the surgeon’s role in cybersecurity can be enhanced by better collaboration and communication between the surgical and IT departments. “Each side needs to better understand how the other operates,” Schrader said. “In this way, they can balance the need to protect data with the need to access data.”

Surgeons and their teams should receive regular updates on their organization’s strategic cyber risk profile and what measures are being taken to mitigate these constantly evolving threats.

Digital viruses and attacks mutate so frequently that even an AI-based detection system cannot fully protect a healthcare organization from cyberattacks, Schrader said. That means surgeons need to regularly communicate with IT and remain cautious about “what you do, what you see, and what you receive,” he said.

Neglecting cybersecurity best practices puts an organization and patient safety at risk.

“A cyberattack is a very negative event to go through,” Young said. “Healthcare is tough enough right now without going through this kind of event.”

Best Cybersecurity Practices

Every healthcare organization should adopt and teach best practices to their personnel, including their surgeons.

Awareness training, which should take place as soon as updated information becomes available, can help surgeons and others recognize and report phishing attempts. Typically, this involves reminding staffers that most phishing attempts are emails that use incentives or threats to pressure the receiver to act quickly, Schrader said.

“If this kind of messaging is part of an email you read, slow down and read it twice before you click on something,” Schrader advised. “And if it’s suspicious, report it to IT.”

Surgeons can play a key role in preserving IT security, but in reality, all healthcare organization staff members need to be trained in cybersecurity, irrespective of role. Annual online courses focused on cybersecurity and, particularly, phishing, should be required. Sending regular “fake” phishing emails from IT to staff members also is a highly recommended practice to help employees identify and avoid real phishing attempts by improving their awareness and ability to recognize suspicious emails.⁷ Surgeons need to embrace this training and even lead it, as it’s important that everyone is on board.

Fostering a Culture of Cybersecurity

By helping to instill a patient-focused culture of cybersecurity, where the staff members view themselves as initiative-taking defenders of patients and their data, surgeons can have a tremendous impact in mitigating cyber risk to the organization and patients.

Hospitals need to develop and practice a rapid response plan for cyberattacks, and surgeons need to understand their roles as part of this plan.

Surgeons should not only follow cybersecurity protocols but raise questions when they see something that concerns them, Young said. “If you see practices that aren’t good, if you see technology that you have questions or concerns about, get involved.”

Healthcare organizations cannot afford to underinvest in cybersecurity. Surgeons and other healthcare leaders must be attentive to updating software as needed, identifying digital vulnerabilities as they arise, and requesting and employing endpoint protection.

Cybersecurity is as much a part of patient safety as surgical precision—both are indispensable.

That’s why surgeons and other senior leaders should view cybersecurity not as an IT issue, but instead, recognize that strengthening their cybersecurity infrastructure, which involves patient safety and enterprise risk, is one of the most important priorities that should be instilled throughout the hospital’s culture.¹²

Surgical professional organizations also should make cybersecurity a priority, Dr. Ginzburg said.

“While there is a lot of discussion about AI at professional meetings right now, there is not much about cybersecurity issues,” he shared. “Maybe there needs to be a wake-up call.”

Schrader concluded with a strong message for surgeons. “You are a prime target for a cyberattack. Don’t assume that it will not come to your doorstep.”

Jim McCartney is a freelance writer.

Editor’s note: Additional information about cybersecurity is available in the article, “Disastrous Consequences Result from Medical Billing Cyberattack on Small Practice,” found in this issue.

References

1. Riggi J. The importance of cybersecurity in protecting patient safety. American Hospital Association. Available at: https://www.aha.org/center/cybersecurity-and-risk-advisory-services/importance-cybersecurity-protecting-patient-safety#:~:text=Losing%20access%20to%20medical%20records,also%20to%20either%20intentionally%20or. Accessed February 28, 2025.
2. 2024 Hybrid Security Trends Report. Additional Findings for the Healthcare Sector. Netwrix. January 2025. Available at: https://www.netwrix.com/download/reports/Netwrix%20Hybrid%20Security%20Trends%20Report%202024_Healthcare.pdf. Accessed February 28, 2025.
3. 2024 Ponemon Healthcare Cybersecurity Report. Proofpoint.com. Available at: https://www.proofpoint.com/us/resources/threat-reports/ponemon-healthcare-cybersecurity-report. Accessed February 28, 2025.
4. Top 10 Biggest Cyber Attacks of 2024. Cyber Management Alliance, January 20, 2025. Available at: https://www.cm-alliance.com/cybersecurity-blog/top-10-biggest-cyber-attacks-of-2024-25-other-attacks-to-know-about#:~:text=Attacks%20in%202024-,1.,deployed%20ransomware%20that%20crippled%20operations. Accessed February 28, 2025.
5. Riggi J. A Look at 2024’s Health Care Cybersecurity Challenges. American Hospital Association, October 7, 2024. Available at: https://www.aha.org/news/aha-cyber-intel/2024-10-07-look-2024s-health-care-cybersecurity-challenges. Accessed February 28, 2025.
6. Olsen E. Ascension cyberattack exposes data from 5.6M people. Cybersecurity Dive.  December 20, 2024. Available at: https://www.cybersecuritydive.com/news/ascension-cyberattack-data-breach/736183/#:~:text=Ascension%2C%20one%20of%20the%20nation%27s,full%20patient%20records%20are%20stored. Accessed February 28, 2025.
7. Cartwright AJ. The elephant in the room: Cybersecurity in healthcare. J Clin Monit Comput. 2023;37(5):1123-1132.
8. IBM. Cost of healthcare data breach is $408 per stolen record, x3 industry average says IBM and Ponemon. July 17, 2018. Available at: https://www.healthcare.digital/single-post/2018/07/17/cost-of-healthcare-data-breach-is-408-per-stolen-record-x3-industry-average-says-ibm-and. Accessed February 28, 2025.
9. Gordon WJ, Ikoma N, Lyu H, Jackson GP, Landman A. Protecting procedural care-cybersecurity considerations for robotic surgery. NPJ Digit Med. 2022;5(1):148. Available at: https://pmc.ncbi.nlm.nih.gov/articles/PMC9489690/. Accessed February 28, 2025.
10. Terranova Security. The 7 most dangerous healthcare cyber attacks. February 2, 2024. Available at: https://www.terranovasecurity.com/blog/most-dangerous-healthcare-cyber-attacks. Accessed February 28, 2025.
11. Gordon WJ, et al. Protecting procedural care—cybersecurity considerations for robotic surgery. npj Digital Medicine (2022). Available at: https://www.nature.com/articles/s41746-022-00693-8. Accessed February 28, 2025.
12. Riggi J. The importance of cybersecurity in protecting patient safety. American Hospital Association. Available at: https://www.aha.org/center/cybersecurity-and-risk-advisory-services/importance-cybersecurity-protecting-patient-safety. Accessed February 28, 2025.