As the value of medical data surges, domestic hospitals are becoming prime targets of cyberattacks, but many medical institutions are effectively defenseless due to a lack of security budgets and specialized personnel.
On the 12th, according to the Korea Institute for Health and Social Affairs (KIHASA) report "Policy measures to improve cybersecurity at medical institutions," an online survey of 263 medical institutions nationwide, including tertiary general hospitals (41) and general hospitals (222), found that 44 (16.7%) did not allocate any information security budget last year.
The information security budget refers to resources invested in protective activities to maintain the confidentiality, integrity, and availability of information systems.
Among all responding medical institutions, 79.1% said they lack information security staff. The average number of information security personnel per hospital was 0.9, effectively meaning there is no dedicated staff.
The security investment gap by hospital size was also stark. The average information security budget at tertiary general hospitals was 822.6 million won, but at general hospitals it was 58.7 million won.
Security gaps are leading to actual damage.
Hospitals that experienced a cybersecurity incident within the past three years accounted for 6.5% (17) of all responding institutions. The causes of incidents (multiple responses) were led by external cyberattacks with 16 cases, followed by 13 cases of technical vulnerabilities such as system obsolescence, and 10 cases of administrative vulnerabilities.
At one general hospital, about 20 terabytes of patient imaging data were encrypted in a ransomware attack, and some data were permanently lost. At another small clinic, access to patient medical records was blocked, and recovery was possible only after paying the hacker about 1.26 million won in cryptocurrency.
Even when backup data were set up, cases repeatedly occurred in which the main data and backup data were damaged simultaneously because they were left connected to the same network.
The research team analyzed that many cyber incidents at medical institutions stemmed more from basic security management failures—such as not applying security patches, poor account management, and leaving VPN vulnerabilities unaddressed—than from sophisticated hacking techniques. They noted that such vulnerabilities can directly affect the continuity of actual medical services, including treatment delays, disrupted surgery schedules, and loss of medical data.
The rapid digital transformation of medical institutions is also cited as a risk factor.
As a complex environment has been built in which various information systems such as electronic medical records (EMR), picture archiving and communication systems (PACS), telemedicine platforms, and cloud services are connected, structural characteristics that expand security vulnerabilities have been identified. The expansion of medical data use itself is analyzed to be a factor that intensifies the targeting of cyberattacks.
The system for responding to hacking incidents also proved inadequate.
Only 57% of responding institutions operated a 24-hour hacking monitoring system. A tendency to hesitate to report incidents to relevant authorities was also identified.
Hospitals most frequently cited legal liability (43.4%) and concerns about reputational damage (40.2%) as reasons for avoiding reports (multiple responses). It appears that not a few cases go unreported due to concerns about responsibility for patient information leaks and potential economic damage such as a decrease in patients.
There is also criticism that the current system has limits. While general information security legal frameworks such as the Personal Information Protection Act cover the entire incident response process, the Medical Service Act framework is designed to focus on prevention and detection, making post-incident response, recovery, and post-evaluation systems relatively insufficient.
Medical institutions agreed that government financial support is the most urgent need to solve security problems.
They said securing budgets and personnel that can be immediately deployed on-site should take priority over technical consulting or training. Opinions were also offered that to increase the rate of hacking reports, legal protection and simplified reporting procedures are needed.
Experts emphasized that cybersecurity at medical institutions is no longer an internal information technology issue for hospitals, but a matter of the stability of the national health care system directly linked to people's lives.
The research team suggested that, in the short term, it is necessary to expand security control services and build a ransomware response system, and in the mid to long term, it is urgent to establish a national response system, including the introduction of security certification systems for medical devices and supply chains and the construction of an automated incident reporting platform.