In the beginning of 2024, there was a succession of cyberattacks, and the month of January had a worrying peak in incidents. The figures published by IT Governance UK only include assumed incidents, those that are reported by institutions. We know, from experience, that not all institutions are in the habit of publicly and transparently reporting attacks and resulting information leaks.
One of Optum’s companies, Change Healthcare, suffered a cyberattack in February 2024, and the impact is still being felt. The BlackCat organization, associated with Russia and specialized in ransomware, gained access to one of the United Health company’s servers, preventing, for example, the associated pharmacies from managing prescriptions. Like all ransomware, a ransom must be paid to regain access to the data.
Financially, the payment of a ransom amount of twenty-two million dollars was reported, but it is estimated that some institutions suffered losses of one hundred million dollars per day. On April 22nd, the United Health group reported losses of 872 million in the first quarter of the year alone, estimating that the impact of the cyber-attack could reach 1.6 billion.
In the USA, Change Healthcare is responsible for the largest prescription processing, having access to 1 in 3 patients files in the country.
But this wasn’t even the biggest cyberattack in memory on the healthcare sector. In 2015, an Anthem Inc. data breach affected 78.8 million people. In the end, the company reached an agreement with the Department of Health and Human Services (HHS), paying sixteen million dollars, making another agreement to resolve one hundred class action lawsuits, totaling 115 million, which added thirty-one million in legal fees. HHS also ordered that the company’s cybersecurity deficiencies be analyzed and corrected.
Last year, patient data leaks affected more than 133 million people (or 124 million, according to the same source), which represents an increase of more than 150% compared to 2022.
It is widely recognized that, for example, some of the best hackers in the world were hired by security organizations, some national, others private, on the assumption that whoever created the virus knows the ways to create a cure, similar to what happens with non-computer viruses. The strategy of defending and anticipating attacks as part of security or cybersecurity exists and it is not due to a lack of investment that leaks occur or that companies fall victim to cyberattacks.
However, when we talk about the healthcare sector, and patient data, it is necessary to consider its durability. Clinical history cannot be changed by changing a password or access pin. Medical data cannot be chosen or changed, as can email or internet banking security data.
It is no surprise that cybersecurity is one of the priorities of the world’s largest organizations and is seen as one of the most important areas of investment in the era we live in and that lies ahead.
With the adoption of digital and IT tools, with the transition from paper to virtual data, with platforms for sharing medical records, prescriptions, exams, in short, the entire health history of individuals, the dependence on tools that guarantee the security, inviolability and privacy of data is fundamental.
And that’s also why data is such an attractive target.
It’s not just about the value of data for crimes like identity theft or using personal data to commit diverse types of fraud. As we have already seen, data hijacking can result in a freeze in the operations of several institutions, going well beyond the amount demanded as a ransom. Losses are not limited to the moment and are not resolved instantly.
If we consider the origin of the hackathon, we can notice two details. First, the word formation: hack and marathon. Secondly, the chronology, which takes us to 1999, when OpenBSD held the first hackathon on June 4th, in the city of Alberta. In this first hackathon, 10 developers worked to avoid legal problems that would eventually arise due to regulation of the export of cryptographic software from the US.
And there is no doubt that organizations and companies hired by organizations work to predict and prevent attacks and leaks, imagining and creating scenarios, promoting attacks in a “controlled environment”, that is, authorized and encouraged, to design defense systems. However, not all healthcare companies have the size or budget to invest in developing solutions or hiring cybersecurity companies.
The investment allocated to the IT area and, specifically, cybersecurity, has been increasing, or the number of cyberattacks had also increased.
But the health sector is fruitful in mergers, acquisitions, outsourcing and other actions that involve third parties entering the scene. The dependency
The presence of foreign bodies, whose cybersecurity policies are unknown, are the source of vulnerabilities. The hiring of suppliers or providers, or the merger or acquisition of institutions that are not capable of efficiently sealing each digital access door and window.
It is essential that the sector opens up in order to close down.
Only through a strategy in which we work in a collaborative and unified manner can we reach the point where larger or smaller institutions, with larger or smaller budgets, are able to guarantee maximum security for their data and the data of their customers. patients or human resources themselves. It is this openness to the exchange of information and knowledge that will allow us to create more complete strategies and tools with more predictions for more scenarios. And, consequently, the digital wall will protect the entire sector from cybercriminal attacks.
Sharing must call on public and private institutions to share intelligence, knowledge, resources and exchange experiences and visions.
The world is connected and is more vulnerable to attacks from keyboard criminals. But it is also connected to solve problems, to create platforms that better serve patients and ensure the privacy of their data.
The digital world increasingly demands interoperability. It is not a merely operational issue, it must be part of the culture of the institutions.
And, at the center of it all, are patients. It is necessary to be transparent when admitting that crimes have occurred, not trying to prevent it from being known so as not to damage the reputation. It is necessary to communicate. Preventively and educationally.
If patients know how to protect their data, how to avoid giving access to the devices they use, whether computers, smartphones, or tablets, they can avoid being the gateway to cybercrime. But they should also be informed when something like what happened to Change Healthcare happens. And that’s not what happened. The fear of financial repercussions is greater than the duty of transparency.
We must always bear in mind that, even in 2019/2020, we had a problem that, perhaps, could have been tackled more effectively if there had been this transparency and timely communication. When Wuhan didn’t want to tell the Chinese government that they had a problem, hoping to solve it before it spread, being able to contain and hide it, it got to the point where it became a national problem. And China followed the same procedure. In an attempt to contain it within their own border, they did not communicate, it was not transparent. And what happened is what we all know, with the consequences that are still felt today.
When we talk about cybercrime, the similarities with laboratories that try to anticipate epidemics or pandemics are obvious. Cures are developed in a controlled environment to prevent global catastrophies.
But, in addition to research and development and all the efforts made to create cybersecurity solutions, this work must be carried out openly and globally and it must be transparent. Only then will everyone be able to benefit.
There are some definitions of the concept of innovation. Create something new or renew, add new features, for example. Do we agree that this creation will be more effective, when we talk about cybersecurity, if it is possible to collect diverse contributions and build innovative systems that benefit the entire sector? And, following Joseph Schumpeter’s definition, we innovate when we create something new that considerably alters the relationships between products and consumers, generating economic development. And here are two essential bases when we talk about security. Consumers, patients, are a fundamental part of this equation. And there is no innovation if there is no economic development.
Without innovation with the participation of each stakeholder, without anticipating hypotheses and creating preventive countermeasures, it will not be possible to have a modern healthcare sector, using the digital universe in a constructive and effective way, with positive results for institutions, professionals and patients. .