Cyberattack Disrupts Cancer Treatment in Massachusetts
On April 6, patients at Brockton Hospital in Massachusetts arrived for chemotherapy treatments only to be sent home. The hospital’s computer systems had fallen victim to a cyberattack, leading to the closure of the emergency room and the redirection of ambulances. Staff members had to revert to using paper records, and patients were instructed to call back later to reschedule their appointments.
This incident is not an isolated case. In May 2024, a ransomware attack impacted operations at 136 hospitals for six weeks. That same year, a data breach at Change Healthcare put the personal health information of roughly 100 million Americans at risk, seriously disrupting billing and authorization processes and causing some doctors’ offices to consider shutting down. A survey by the American Hospital Association revealed that 74% of hospitals faced direct consequences on patient care post-breach.
The Stakes Are High
When hackers target healthcare infrastructure, patients bear the brunt of the impact. Delays in chemotherapy, missed diagnostic tests, and postponed surgeries can lead to dire consequences. Medications may go unfilled, and emergency rooms struggle to access patient histories and medication allergies in urgent situations.
As a patient advocate who has worked for years on issues surrounding data security, as well as a security researcher, I’ve learned that the root of these problems is not merely technical. The true challenge lies in the structure of the healthcare system itself.
An Ongoing Arms Race
The same advancements that are aiding drug discovery are now being used to exploit software vulnerabilities at an alarming speed. While healthcare is busy pursuing breakthroughs with artificial intelligence, hackers are also advancing their tactics.
On April 7, Anthropic introduced a new AI model capable of autonomously detecting numerous software weaknesses. Instead of releasing it for public use, the company created Project Glasswing, a $100 million program designed to help major tech companies like Amazon, Apple, and Microsoft fix their own vulnerabilities—healthcare organizations were noticeably absent from this initiative. Estimates suggest that similar technologies could emerge in the next year.
Just days later, the Cloud Security Alliance released a report stating that the time between discovering a vulnerability and developing an exploit has decreased to less than a day. Experts recommend that organizations begin a 90-day readiness plan immediately.
Marcus Hutchins, known for halting the WannaCry ransomware attack in 2017, weighed in, asserting that unpatched vulnerabilities are often due to a lack of urgency rather than an inability to identify them.
Patients at Risk
Cybersecurity experts have long predicted this looming crisis. Healthcare facilities are not indifferent to security; rather, they depend on external software providers over which they have limited control. Policies tend to react to crises rather than preventing them. The rapid shift to digital systems has not been matched by equal efforts to safeguard these infrastructures. When vulnerabilities are discovered, healthcare facilities often wait for vendors to provide patches, which can take months to test and authorize.
The disparity in resources is glaring. Large medical centers often have dedicated cybersecurity teams and stronger bargaining power with vendors. In contrast, smaller community hospitals, which many patients rely on, typically have outdated equipment and limited IT support, making them less capable of implementing necessary fixes quickly.
Economic incentives within the healthcare system complicate the speed of responses to cyber threats. Patients, who are most vulnerable, often lack representation in discussions about digital security.
Unpredictable Threats Ahead
Predicting the next major cyberattack is extremely difficult. The National Weather Service uses models to forecast hurricanes, but similar tools do not exist in healthcare cybersecurity. A dangerous storm is brewing, however.
Anthropic’s Project Glasswing would serve as a much-needed reinforcement, but the healthcare industry’s patchwork of vendor-controlled systems remains vulnerable. The timeline for offensive actions has drastically shortened, while hospitals continue to face the lengthy processes of securing updates and regulatory approvals for their devices.
Despite some initiatives aimed at combating these threats, such as Project UPGRADE and resources from the Cybersecurity and Infrastructure Security Agency (CISA), a substantial gap still exists. Organizations are beginning to track the impact of cyberattacks on patient safety, and efforts are underway to mobilize support.
To ensure better protection for communities, it’s crucial to advocate for bipartisan support of legislation focused on healthcare cybersecurity. Since patients ultimately depend on this infrastructure, it’s essential that safeguards, funding, and regulations are put in place.
Many patients remain unaware of these underlying issues. We like to believe that our health data are secure and that systems are in place to prevent disruptions like canceled treatments. However, with the rise of cyberattacks, our health and lives are at stake, and when these attacks occur, it’s people in our communities who suffer the consequences.
Andrea Downing is a security researcher, patient advocate, and co-founder of The Light Collective.
