Pro-Russian distributed denial-of-service (DDoS) attackers have recently targeted Dutch hospitals, according to Z-Cert, a partnership of hospitals for digital security. It is believed to be an attack from the group Killnet in collaboration with other attackers.
The impact of such cyber incidents on hospitals is enormous. Liselotte van Boven, a physician involved in researching the impact of cyber attacks on hospitals in Europe and the US, said: “They can impact acute patient care, including emergency department closure and the cancelation of operations.”
Previous research into internal hospital crises and disasters (IHCDs) showed that IT-related IHCDs occur regularly in the Netherlands. “That is why I wanted to dig deeper into the impact of such failures,” said Van Boven.
Her research comprised a systematic scoping review of major acute care disruptions in Dutch hospitals between 2000 and 2020. She identified 39 IT failures resulting in acute care disruption, of which 85% were primary IT failures such as computer network outages or hospital software failures. Secondary events predominantly resulted from power failure.
“The most striking conclusion was that the majority of the incidents occurred in the past decade,” said Van Boven.
Dennis Barten, an emergency physician and supervisor to Van Boven, added: “This skyrocketing impact seems to be attributable to the increased dependence on digital systems.”
Appalling ransomware consequences
Cyber attacks have not yet led to major incidents involving the deaths of patients in the Netherlands, but this might be a matter of time, according to Barten.
“The healthcare sector in the Netherlands is ever more aware of the threat of cyber incidents, but as there haven’t been any major examples, such as the attack on the health service executive of Ireland in 2021, the focus still lies primarily on patient care,” he said.
“That is of major importance, but patient care is directly affected by the failure of a hospital’s digital systems. This stresses the urge to improve IT security and business continuity in today’s hospitals.”
The recent DDoS attacks on Dutch hospitals have shown the importance of cyber awareness in the sector.
Van Boven said: “Such an attack renders the website unavailable, which causes disruption. But the consequences can be far more appalling when a hospital falls victim to a ransomware attack.”
In collaboration with Z-Cert, Van Boven and Barten approached 25 hospitals in the US and Europe that had been victims of a cyber attack. Unfortunately, only four hospitals agreed to participate in Van Boven’s study.
“We can only guess why organisations are hesitant to share information. It might be a liability issue and the fear of being attacked again,” said Van Boven.
The participating hospitals will remain anonymous, but Van Boven’s research outcomes are comparable for US and European organisations, she said, adding: “Although some healthcare and IT systems differ between countries, the hospitals we interviewed all reside in well-developed countries dependent on digital systems. I found it noteworthy that hospitals struggle with the same topics everywhere.”
The most conspicuous element of her research was the time it took hospitals to recover from a cyber incident. “And more so, the lack of awareness in hospitals of the impact of such incidents struck me,” Van Boven said.
“Most people working in a hospital have heard of ransomware, but the prevailing idea is that systems will be down for just a few days. They think that after that, they’ll be able to return to their work as before. But that is not the case. Our research shows that recovery takes weeks, in which systems at the hospital often will be reopened in phases. This sometimes led to a priority battle between departments, each thinking theirs was the most important to reopen.”
Apart from this struggle, Van Boven found that a cyber attack also personally affected healthcare workers: “Such an incident brings about stress, the necessity to work more than usual, and the feeling of failure towards patients. We found this among physicians, but also in IT staff – they felt very responsible, even though it wasn’t a case of who is to blame.”
Prepare for recovery
Through their research, Van Boven and Barten aim to create a wake-up call for Dutch hospitals because healthcare organisations in The Netherlands could do with more awareness and preparedness regarding cyber threats.
“This means hospitals need to examine their digital security critically. Early detection systems are key and they need to think about prioritising applications for vital patient care,” they said.
Furthermore, preparing for a possible cyber incident and recovery phase is essential, they said. “Preparing means you don’t have to decide when you’re in the midst of the crisis, but you have thought through various scenarios that’ll help you deflect the impact of the incident on your organisation.”
This means, for instance, performing cyber crisis exercises, as many organisations do with fire drills. “It is not just about mitigating the crisis technically, but also teaching staff how to work on paper if necessary,” said Van Boven.
“I have found that my generation is struggling with this element, as we have never had to fill out a patient status on paper. You must collectively decide on formats, where to find and file paperwork and teach younger people how to work like this in a crisis.”
Dutch hospitals tend to spend the more significant part of budgets on patient care, but this needs adjusting, said Barten, adding: “We need a growing awareness within hospitals that investing in solid IT security is vital to patient care. Patients could be in danger if systems are down and in recovery for weeks, with crucial data not easily accessible. In addition, the impact of a cyber incident on acute patient care calls for solid IT systems and security.”