It should come as no surprise that, in a world where digital technology has increasing sway and where humanity has become increasingly reliant on computers, compromises to digital systems have become commonplace. Criminal elements and international enemies are looking for weaknesses in healthcare systems they can exploit for profit or just good, old-fashioned chaos. This is going to require an ongoing effort to preempt and prevent bad actors from hacking into sensitive data and critical systems. Doing it once or twice isn’t going to cut it. Upgrading your system security last year isn’t enough. The current threat continuum requires a never-ending effort, an eternal vigilance.
The Current Threat Assessment
On October 7, the American Hospital Association (AHA) published an article on this year’s cybersecurity challenges within the healthcare space. It was eye-opening and gut-checking. It made clear that the big-splash attacks, such as the one affecting Change Healthcare several months ago, are not the only events heading hospitals’ way. According to John Riggi, national advisor for cybersecurity and risk at the AHA, there have been 386 cyberattacks launched against healthcare entities so far in 2024. This included data-theft crimes and ransomware attacks. According to the AHA report, these events “appear to be unfolding at the same elevated rate as in 2023, which was the worst year ever for breaches in healthcare.” However, Riggi notes that the scope and impact of this year’s breaches “have been much more profound.”
Significantly, ransomware attacks are not just data-theft or financial crimes; they are threat-to-life crimes, according to the AHA. This is because such attacks represent a real risk to every hospital function, including surgical and other life-saving functions. According to Riggi:
They are designed to shut down vital systems and cause maximum delay and disruption to patient care. They not only threaten the safety of patients in the hospital, but their effects cascade throughout the entire community and every hospital, clinic and emergency department in the surrounding region—what I call the blast radius.
Attacks on third-party entities, like Change Healthcare, may also be on the rise. There has been a demonstrable rise in the number of individuals affected by attacks on such entities. According to the AHA, there was a 287-percent increase in this metric from 2022 to 2023.
The AHA also indicates an increase in state-sponsored hack-attacks affecting the healthcare and other U.S. industries. “In late August, for example, Iranian-based cyber actors leveraged unauthorized network access to U.S. organizations for espionage reasons, including to healthcare organizations, to facilitate and profit from ransomware attacks by Russian-affiliated ransomware gangs.”
What to Do?
According to Riggi, hospitals cannot tackle this complex problem on their own. He believes it will be up to the federal government and its foreign allies to “go on the offensive, making it a priority to disrupt cybercriminals before the attack.” The government can also aid hospitals by disseminating threat intelligence and providing a comprehensive response “that leans on law enforcement, legislative, military and intelligence capabilities.”
The Department of Health and Human Services (HHS) has created a set of “Cybersecurity Performance Goals” (CPGs) to enable hospitals to better prepare for, and limit the effects of, cyberattacks. According to the AHA, “These CPGs are designed to defend against the most common tactics used by cyber adversaries to attack healthcare and related third parties, such as exploitation of known technical vulnerabilities, phishing emails and stolen credentials.”
The AHA helped in the drafting of these CPGs and urges their adoption by third-party technology providers and business associates, as well. To view the CPGs, please click on the following link: HPH Cybersecurity Gateway (hhs.gov). The AHA also maintains other resources for facilities wishing to bolster their security posture in light of the current threat environment.
Again, security in the face of bad actors must be seen as an ongoing, everyday priority. It’s the new reality and will remain so for the foreseeable future.