OneBlood. Transforming Healthcare. Fred Hutchinson Cancer Center.
Numerous healthcare organizations have been hit by ransomware attackers recently. Ransomware attackers are increasingly targeting the healthcare industry, sometimes with devastating consequences and very personal threats. Recently, a ransomware attack disrupted medical blood supplies in southeastern states. In February, ransomware hit Change Healthcare, causing a national crisis for patients. In January, ransomware attackers threatened to attack cancer patients with SWAT teams.
Hardening the healthcare sector against cyberattacks requires a systems-wide approach as well as additional resources for struggling organizations, and efforts are underway.
Attacking hospitals has long been taboo during wartime, but in cyberspace, attackers treat medical facilities as just another target, said Brian Mazanec, deputy director for the Office of Strategic Preparedness and Response at the Department of Health and Human Services.
“Attacks (against healthcare) are increasing in frequency, sophistication, severity and target diversity,” Mazanec said.
Victims range from hospitals to third parties who support the sector, and while not all victims report the incidents, Mazanec said that based on available information, healthcare is in the top three most targeted of 16 critical infrastructure sectors.
Until recently, ransomware attacks on healthcare providers appeared to be the result of indiscriminate mass phishing attacks where attackers were targeting any organization they could, said Health-ISAC CISO Errol Weiss, but the recent attacks on OneBlood, Synnovis and Octapharma show that hackers are specifically targeting large healthcare providers to cause widespread disruption and increase pressure to pay.
Small organizations like medical centers have little financial resources, but cyberattacks are easy to carry out, so perpetrators likely think even a small settlement is worth it, said Dr. Julia Skapik, chief medical information officer for the National Association of Community Health Centers and a physician at Neighborhood Medical Center in Alexandria, Virginia.
assignment
Healthcare providers are finding themselves in a situation where they have to pay the ransom, “because if we don't, people could die,” Mazanec says. Some organizations are especially at risk: Complex and outdated health IT setups can be hard to maintain and update, and smaller, rural healthcare organizations often have little funding to devote to cybersecurity.
“The idea of having a chief information security officer is a great one, but in organizations that don't have a large number of staff, it's really hard to mobilize those resources,” Skapik said.
Some large medical centers have cybersecurity experts on hand, but they may still be new to the field, and the centers may not yet have around-the-clock cybersecurity support, Skapik said. Cybersecurity is typically an added responsibility to existing IT workloads, which can cause backlogs.
These multitalented professionals have little time to explore available resources, so ASPR raises awareness about free cybersecurity tools and technical assistance offered by the federal government, Mazanec said. His team also shares warnings about new ransomware tactics, techniques and procedures. And Weiss' Health-ISAC shares warnings and advisories with its members around the world.
Collaboration is helpful, but it has limitations. Skapik said many medical centers get some technical assistance from networks the medical center manages, but those networks often support dozens of medical centers, each of which may have different versions of software. Vendors often charge high fees for software updates and prioritize larger clients over smaller medical centers, he said. Weiss said a grant-funded virtual CISO program could help launch a cybersecurity program that in-house IT teams could maintain. Under the initiative, one cyber expert would help up to 12 providers annually. Skapik said medical centers would benefit from assistance applying for cyber insurance, a process that requires establishing a minimum cyber posture that can be costly for smaller organizations.
Across sectors
To bring about real change, experts are calling for a systematic approach.
The larger effort from the Department of Health and Human Services (HHS) aims to first provide cybersecurity advice to the industry, then provide resources to help follow that advice, and finally provide requirements.
In January, HHS released healthcare-specific cybersecurity performance goals to better prevent, respond to and recover from attacks, Mazanec said. They are voluntary and include 10 measures and 10 strengthening targets for organizations that can implement more measures.
Weiss said the targets are a valuable resource, but making them mandatory is difficult when some organizations lack the funds to adopt them. The federal government appears to recognize that. The president's FY25 budget would allocate $1.3 billion to help hospitals with cybersecurity if Congress approves it. Meanwhile, ASPR is currently working on things like updating its Hospital Readiness and Response program to specifically help with cyber response, Mazanec said. HHS is also looking at how to eventually mandate levels of cybersecurity.
Other moves are in the works. ASPR is conducting an industry-wide risk assessment due in January to help identify needs and develop industry-specific plans, Mazanec said. The agency also plans to identify organizations, like Change Healthcare, that could cause disruption across the industry if they go down, and reach out to them for cybersecurity resources.
The research and development program is also studying tools that, in theory, could help health care providers recover quickly after an attack, such as technology that could help capture electronic medical records while systems are down.