Cybersecurity consultants who give top marks to the Bermuda Hospitals Board’s security initiatives have warned of a significant and continuing cyber-assault on healthcare institutions.

One American healthcare cybersecurity professional praised the BHB’s commitment to securing its technology, but he conceded the world now faced an avalanche of attacks.

Jason Stewart, virtual chief information security officer at Fortified Health Security in Tennessee, gave the BHB kudos.

“They meaningfully care and want to know about cybersecurity,” he said.

Mr Stewart was speaking at the CIO Connect conference held at KPMG in Hamilton. This was an invite-only event attended by healthcare chief information officers from Bermuda and overseas.

He said if cybercrime were a country, it would have the third largest gross domestic product in the world, following only the United States and China.

“Cybercrime is robbing the world blind,” Mr Stewart said.

He told the audience that you can now rent a ransomware platform.

“These are not backwater mafioso businesses,” he said. “They have a help desk for their illegal ransomware software.”

Russell Teague, chief information security officer at the same firm, said the average threat actor spends 279 days in a computer system before the owner knows it has been infiltrated.

“During that time, they are mapping out the environment, understanding the communication flow and using the tools available to them from inside the system,” Mr Teague said. “They quietly build their strategy, until they send the ransomware notice.”

The pair stressed how important it is to not only have back-ups for data, but to test those back-ups before a cyberattack happens.

“The bad guys go after those,” Mr Stewart said. “They try to make sure you have got nowhere to turn.”

Mr Teague said if the victim loses access to their back-ups, then they often have no choice but to attempt to buy decryption keys back.

“That is if the threat actor will sell them to you,” Mr Stewart said. “We have been lucky enough in some investigations to buy the encryption keys back.”

They cautioned against taking a “code black” approach to a cybersecurity attack — responding by unplugging everything and turning off every switch.

“All your forensics image or memory data is flushed as soon as you kill power,” Mr Teague said. “What is in memory? What was running when the attack happened? You lose all of that information and the forensics is really hampered.”

In the past ten years, cyberattacks on hospitals and other healthcare institutions have become increasingly frequent.

In July 2024, hackers hit One Blood, a charity that provides donated blood to hospitals across Florida and at least four other states.

“Blood supply across the southeast was significantly impacted,” Mr Teague said. “Surgery stopped at certain hospitals and procedures were halted because the hospital could not guarantee they would have the right blood supply.”

The good news is that the average cost of a healthcare cyberattack has fallen by $2.2 million to $7.42 million year-on-year.

“That is an artefact of us being more resilient and being able to recover faster,” Mr Stewart said. “Organisations that have experienced a major outage are now more resilient so their ability to recover is faster.”