US health systems are under attack through cyber threats
An attack on the cybersecurity of a healthcare system is an attack on patients. 2023 has seen a record number of attacks on US hospitals, with high-impact ransomware attacks that shut down hospital computer systems and deny clinicians access to patient information becoming more prevalent.
Ransomware attacks are taking the form of “double extortion.” The hackers first encrypt data and demand a ransom to decrypt it; they also threaten to publish the sensitive exfiltrated data unless another ransom amount is paid.
The threat actors for ransomware include Rhysida, Clop, NoEscape, BlackCat, LockBit3.0, Medusa, SiegedSec, and Hunters International, and the vulnerabilities exploited include the MOVEit file transfer service and Citrix Bleed – Citrix Netscaler ADC and Gateway.
Healthcare breaches have impacted an estimated 100 million individuals over the years, and 2023 has proved to be the worst year yet in terms of breached health records. From January through November this year, 115,705,433 healthcare records have been exposed or compromised – more than the combined total for 2021 and 2022.
With large data theft attacks from foreign-based criminal organizations, unlawful tapping into medical research, and theft of patient or protected health information (PHI) by enemy nations on the rise, the American Hospital Association has dubbed the risks to cybersecurity in healthcare as threats to life. With US hospitals reported to have paid $100 million to Russian hackers, cyberattacks that threaten public health and safety are now regarded as terrorist attacks.
If you are a healthcare player, you must watch this space and take all steps to prepare for what lies ahead in 2024. This blog will outline the likely events.
US government to tighten cybersecurity regulations
Building on the Biden government’s National Cybersecurity Strategy, the US Department of Health and Human Services (HHS)has announced steps to improve cyber resiliency and protect patient safety as:
- There has been a 93% increase in large breaches from 2018-2022
- There is a 278%increase in large breaches involving ransomware.
- Cyber incidents affecting hospitals and health systems have led to:
- Extended care disruptions
- Patient diversions to other facilities
- Delayed medical procedures
Hospitals under ransomware attacks have diverted emergency services, rescheduled non-urgent elective procedures, and, in some cases, succumbed to the demands made as they did not maintain or could not access backups.
Cyberattacks are no longer economic, white collar, or victimless crimes -they take lives Source
All these developments have put patients at risk, and there will be important changes in 2024:
- The Centers for Medicare and Medicaid Services will propose new cybersecurity requirements for hospitals.
- The HHS Office for Civil Rights will begin an update to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule in the spring of 2024 to include new cybersecurity requirements.
- HHS will work with the Congress to increase civil monetary penalties for HIPAA violations.
- HHS resources will be stepped up to probe potential HIPAA violations and conduct proactive audits.
- A one-stop-shop for cybersecurity support to healthcare will be matured under the Administration of Strategic Preparedness and Response to deepen the government’s partnership with the industry.
Healthcare organizations, including hospitals, should act today to keep pace with the changes in government regulation. You should rope in a trusted technology partner who can guide you on how to participate in the discussions that aim for greater enforcement and accountability, as these rules will ultimately affect you.
Cybersecurity performance goals: In the new year, you will have to commit to high-impact cybersecurity practices specific to the healthcare and public health sectors.
- Minimum goals:These will be mandatory and will establish essential goals that outline minimum foundational practices for cybersecurity performance.
- Enhanced goals: These are advanced practices that enhance cyber security and may be voluntary commitments to address complex risks proactively.
As the HHS intends to enforce the goals through fines, it is better for you to plan your digital transformation investments with robust cybersecurity practices. However, there is a silver lining: the US government is also coming up with an upfront investment program to help high-need healthcare providers, such as low-resourced hospitals, cover the upfront costs associated with implementing “essential” cybersecurity in healthcare performance goals.
Additionally, an incentives program is also envisaged to encourage all hospitals to invest in advanced cybersecurity in healthcare practices to implement the “enhanced” performance goals.
Even a weak password can compromise cybersecurity in healthcare
Before you embark on your cybersecurity enhancements, you should understand how your organization and the sensitive patient data it hosts can become vulnerable. A thorough risk analysis with the help of expert cybersecurity professionals is required to understand healthcare data security and to plan steps to safeguard patient healthcare information.
Common vulnerable points include:
- Legacy systems: Includes outdated software, especially in medical devices and equipment. Malicious actors can gain unauthorized access.
- Inadequate patch management: Failure to apply security patches and updates to software and systems. Data breaches are mostly due to known vulnerabilities.
- Insufficient access controls: Poorly configured access controls and weak user authentication measures cause leaks.
- Weak passwords: Lack of multi-factor authentication, easy-to-guess passwords, and default credentials increase susceptibility.
- Phishing attacks: Employees fall prey to social engineering tactics, open phishing emails, and compromise login credentials, allowing malware into the system.
In addition to these vulnerabilities, healthcare organizations also end up as victims of hacking due to unsecured endpoints in computers, medical devices, and equipment. Network security is compromised when there is a lack of segmentation and insufficient firewall configurations. The absence of a comprehensive incident response plan and neglecting to encrypt sensitive patient data can cause prolonged disruptions and data exposure. Failure to conduct cybersecurity awareness training is one of the causes of unintentional insider threats.
Hospitals have closed down after paying ransom in cryptocurrency
Hospitals store vast amounts of personal health information, and this makes them a prime target for cyberattacks. A data breach can lead to unauthorized access, theft, manipulation of patient records, and compromising patient privacy. However, there is much more at stake than valuable PHI alone.
When a hospital suffers a healthcare data security breach, the organization faces several risks far beyond the technical realm. Let us understand what a hospital has to contend with:
Digital risk: Hospitals are increasingly relying on digital technologies, and the threat of a cyberattack can compromise the integrity, confidentiality, and availability of all its digital assets -mainly the digital healthcare system.
Enterprise risk: As seen in the recent ransomware attacks across the US, hospital operations can be hampered, leading to impaired patient care. Weakened cybersecurity in the healthcare ecosystem has a spiral effect on enterprise efficiency.
Financial risk: Do you know St Margaret’s Health in Illinois had to close down as it could not submit insurance claims after a ransomware attack? Similarly, a hospital in Kansas paid a ransom in bitcoins to gain back access to its servers. Loss of revenue, incident response costs, and system remediation are other financial burdens imposed, post a cyberattack.
Legal risk: Hospitals under attack by hackers face costly lawsuits from patients and other stakeholders whose interests are compromised.
Regulatory risk: Hospitals have to face investigations by the regulatory authorities and pay hefty fines if it is revealed that they did not take adequate steps to comply with HIPAA and other security guidelines. The HSS Office of Civil Rights has reached a $100,000 settlement with the Doctor’s Management Services, a Massachusetts-based medical management company, after ransomware affected the PHI of 206,695 individuals.
Reputation risk: When there is an attack on cybersecurity in healthcare, the healthcare provider, typically a hospital, suffers great damage to its reputation. Once patient trust is eroded and medical information is leaked, it is difficult to regain the lost stature.
Strategic risk: After a cyberattack is perpetrated, a hospital may not be able to follow through with its long-term plans to achieve its goals. This impacts growth, partnerships, and strategic initiatives.
Government-private sector collaboration for robust cybersecurity
If we are to keep threat actors at bay in 2024, it is important to share threat intelligence and step-up collaborative efforts between government agencies and healthcare sector organizations.
Vendor security standards, innovation in cybersecurity technologies, and education and training programs to develop a skilled cybersecurity workforce will also help to build a secure and resilient healthcare ecosystem.