Cyber attacks on hospitals can kill - here's why

In Israel specifically, any one hospital being unable to conduct MRI and CT scans, which run 24/7 and are backlogged, could impact the country nationwide. 

Projection of cyber code on hooded man (llustrative) (photo credit: REUTERS/KACPER PEMPEL/ILLUSTRATION TPX IMAGES OF THE DAY)
Projection of cyber code on hooded man (llustrative)
(photo credit: REUTERS/KACPER PEMPEL/ILLUSTRATION TPX IMAGES OF THE DAY)

The ransomware attack on Hadera’s Hillel Yaffe Medical Center last week could have ended in patients’ deaths.

In the future this hospital, or any other hospital, may not be so lucky.

“This really is a life-or-death situation, and it is not theoretical anymore,” said Gil Messing, head of global corporate communications for Check Point – a world leader in cybersecurity solutions. “It is happening around the world, and it can happen here, too.”

Take for example life-support machines, Messing said. Often, they are connected to the hospital network through the Internet. If there is an attack and the machine stops, then a person on life-support is not going to get what he or she needs.

“If it was just a regular computer or a regular machine at a factory then it would not be a life-or-death situation if it stopped working,” he said.

Another example is the use of MRI or CT scans, the data from which are generally stored in a hospitals’ servers, noted Prof. Yuval Elovici, a computer scientist in the Department of Software and Information Systems Engineering at Ben-Gurion University of the Negev. If suddenly there is no access to the server, and a doctor needs to treat someone based on the outcome of his or her MRI or CT scan, the doctor cannot give the patient the correct treatment.

Illustrative photo of a cyberattack.  (credit: Wikimedia Commons)
Illustrative photo of a cyberattack. (credit: Wikimedia Commons)

“The correct treatment could decide if a person lives or dies,” he said.

“Say someone was injured in a car accident and you need to do an MRI to see if there is brain damage,” Elovici continued. “Suddenly there is a cyberattack and you cannot access this information anymore,” because MRI scans, unlike patient medical records, are not printable.

In Israel specifically, any one hospital being unable to conduct MRI and CT scans, which run 24/7 and are backlogged, could impact the country nationwide.

Earlier this year, an Alabama mother sued her local hospital for the death of her baby who was born in 2019 with the umbilical cord wrapped around its neck, resulting in serious brain damage. The mom, Teiranni Kidd, said when she arrived to give birth, the staff was dealing with a cyberattack that resulted in the failure of electronic monitoring devices that could have warned medical staff of the situation in time, according to local media reports.


Stay updated with the latest news!

Subscribe to The Jerusalem Post Newsletter


In medicine, time means life. So, shutting down a hospital network and causing it to be unable to take in critical patients could kill.

“Let’s say someone had a heart attack and he gets in an ambulance to go to the ER,” Messing offered, “but the ER cannot accept patients because its network is down. The ambulance needs to take that person somewhere else, and that time might kill the person.”

THIS IS what happened in Germany in 2020, when a 78-year-old woman suffering from an aortic aneurysm was directed to 32 kilometers away because the closest medical facility was not taking patients in its accident and emergency department due to a cyberattack. The woman’s care was delayed an hour and she died.

Hillel Yaffe was still able to take and care for critical patients, the hospital said. However, it did turn away any non-urgent care patients and asked them to seek treatment elsewhere.

For perspective, one out of 22 organizations in the healthcare sector in Israel has been attacked by ransomware every week, Messing said. If you look not only at ransomware attacks but all attacks, the numbers are even higher.

“If in the world, the average number of attacks on an organization in healthcare is about 700 attacks per week, in Israel that number is 1,400 attacks per week – all kinds of cyberattacks.”

Messing said this represents a 30% increase over the year before, largely spawned by COVID-19.

In other words, healthcare organizations have become prime targets. The only reason Hillel Yaffe’s became well-known is because it worked – and the hospital is public and required to report it.

Hospitals are good for hackers because they possess a lot of valuable information, Messing said, but also because with so many digital machines that could mean the difference between life or death, the organizations being hacked are more likely to pay and quickly move on.

“Many hospitals and clinics actually pay the ransom, because they feel paying it would be less significant than dealing with what Hillel Yaffe is dealing with,” he said, adding that hospital hackers often ask for sums of money that they believe hospitals can pay, like $50,000 or $100,000, believing then they can “end the whole thing quietly.”

The Hillel Yaffe attackers are reportedly asking for $10 million, according to N12.

This success leads attackers to attack again.

The government until now has had a policy not to negotiate with hackers or even talk to them, though sometimes others connected to the situation will try to make contact and get information to help solve the crime.

The Health Ministry said Thursday that it had been working “around the clock” together with the Israel National Cyber Directorate to investigate the incident, as well as to establish a new computer system and recover lost data.

Elovici said that preventing a persistent hacker is extremely hard. As such, it is mandatory that hospitals have a contingency plan for what to do if a cyberattack disables part or all of its IT infrastructure.

Messing said that ensuring all data is backed up is key. But he admitted that with today’s attacks being “fifth-generation” and most healthcare organizations only having protection against second- or third-generation attacks, the gap in protection is likely to make it so that at least some hackers will be successful again in the future.