Average Incident Cost is 300,000 Euros. European Union Has a Plan

• The consequences of cyber attacks on the health industry are extremely serious, affecting both the function of healthcare facilities and the health of patients.
• In 56% of the healthcare facilities affected by cyber attacks, patient treatment outcomes deteriorated due to procedure and test delays. Complexity in treatment procedures increased by 53%, while patient mortality rose by 28%[1].
• The average cost of a single cyber attack on the health sector is 300 thousand euros[2].
• The European Commission is responding by announcing this recovery plan for the digital safety of this sector.

Healthcare in Crosshairs

Since the coronavirus pandemic, the health sector has become a primary target for cyber criminals. This is confirmed by statistics on ransomware attacks, where data encryption is used to demand a ransom. According to the latest data from the European Union Agency for Cybersecurity (ENISA), an enormous 8% of ransomware attack attempts target healthcare. Only business (18%) and industry (17%) are experiencing a higher percentage of attacks.

Kamil Sadkowski, an analyst at the ESET antivirus laboratory, explains, “The health sector is targeted by cyber criminals for several reasons. This sector processes a huge amount of data, including personal data. The work dynamism of the staff can be dizzying. It is estimated that nurses log in to a computer up to 80 times a day. In many cases, to speed up operations, they neglect digital security, for example, by sharing passwords written on sticky notes attached to the computer. Importantly, for some groups of cyber criminals, an attack on healthcare, ie a sector belonging to so-called critical infrastructure, is a chance to destabilize a given country – it is enough to mention that 42% of incidents in this sector are attacks on hospitals.”

Single attack costs 300,000 Euros

European Union representatives see an immediate need for action. Stavros Lambrinidis, EU Ambassador to the UN, described ransomware attacks on the health sector during a security briefing as a “rapidly growing threat with far-reaching consequences”. He also highlighted that such attacks occur every 11 seconds, and their frequency is expected to increase to every 2 seconds by 2031. In the meantime, Poland became a key target of ransomware attacks worldwide. As data from ESET’s Threat Report for the second half of 2024 shows, this type of attack rose in our country by 36%, making us the second most attacked country by cybercriminals.

“According to ENISA data, as many as 83% of cybercriminals are primarily motivated by finance. The average cost of a security incident in healthcare is estimated at 300,000 euros, excluding potential fines imposed by data protection authorities,” calculates Kamil Sadkowski.

Attack that cost a Billion Dollars

The American public learned just how costly ransomware attacks can be from a massive attack on Ascension Healthcare, a healthcare provider. Cybercriminals encrypted thousands of computer systems in 120 hospitals, preventing access to electronic medical records and affecting key diagnostic services, including MRI and CT scans.

Nurses lost access to digital patient records and had to search through paper notes. In addition, doctors could not send scans and pictures to surgeons waiting in operating rooms – every document had to be printed and delivered in person. Restoring functionality in hospitals took 37 days, crisis management and procedure changes cost about $130 million, and the company’s revenue dropped by $900 million at the end of the year (Ascension Healthcare data for the UN).

“As the Ponemon Institute report indicates, however, the most difficult consequences are for the health and lives of patients. Of the medical facilities that experienced the four most common types of cyberattacks covered by the survey (ransomware, BEC attacks, supply chain attacks, and cloud solution attacks), 69% saw disruptions in patient care. In 56% of facilities, patient treatment outcomes deteriorated due to procedure and test delays, complexity in treatment procedures increased by 53%, and patient mortality rose by 28%,” adds Kamil Sadkowski.

The EU responds and creates a plan

The European Union has created the first initiative and plan in response to mass cyber attacks on healthcare. The plan proposes that by 2026, ENISA will launch a pan-European Cybersecurity Support Center for hospitals and healthcare providers, providing them with guidelines, tools, services, and training. This initiative is part of broader EU plans to strengthen cybersecurity across all critical infrastructure. One of the priorities will be to create EU-level early warning services by 2026 and to develop cooperation paths with private service providers, providing warnings of potential cyber threats in near real-time.

Furthermore, the plan could include national cybersecurity exercises and the development of handbooks to help healthcare organizations respond to specific cybersecurity threats, including ransomware.

The EU NIS2 directive being implemented in Poland and the amendment of the law on the national cybersecurity system imposes new, rigorous cybersecurity obligations on many sectors, including the healthcare sector. This is significant because the public health sector and medical facilities have been designated as so-called key entities, which must meet requirements related to: implementing an information security management system, implementing effective safeguards, assessing the risk associated with cybersecurity, providing information and reporting serious incidents, and conducting information system security audits.

Sources:

https://www.enisa.europa.eu/sites/default/files/2024-11/ENISA%20Threat%20Landscape%202024_0.pdf

https://www.enisa.europa.eu/sites/default/files/publications/Health%20Threat%20Landscape.pdf

https://news.un.org/en/story/2024/11/1156751

https://ec.europa.eu/commission/presscorner/detail/en/ip_25_262

https://assets.turtl.co/customer-assets/tenant%3Dteam/pfpt-us-tr-cyber-insecurity-healthcare-ponemon-report-2024%20(1).pdf

https://projects.research-and-innovation.ec.europa.eu/en/horizon-magazine/race-make-hospitals-cybersecure

[1] Data from: https://assets.turtl.co/customer-assets/tenant%3Dteam/pfpt-us-tr-cyber-insecurity-healthcare-ponemon-report-2024%20(1).pdf

[2] Data from: https://www.enisa.europa.eu/sites/default/files/publications/Health%20Threat%20Landscape.pdf