Hannah Grabenstein Hannah Grabenstein
Leave your feedback
In February, the day after Vladmir Putin ordered his forces to invade Ukraine, a notorious Russian cybercrime group called Conti announced online that they would target “the critical infrastructures” of any nations attempting to thwart Russia’s military actions. A week later, the U.S. Department of Health and Human Services issued a warning stating that Conti has specifically attacked health care institutions in the past.
The threat from Conti came when the U.S. cybersecurity community was already on a defensive footing. In January, the Cybersecurity & Infrastructure Security Agency (CISA) had warned American industries to shore up defenses against possible cyberattacks. At the time, the language was general and a government spokesman said there were no specific, credible threats.
READ MORE: Cyberattacks take down Ukrainian government and bank websites
But just last week, the warnings suddenly grew more dire. In a statement, President Joe Biden said there is “evolving intelligence that the Russian Government is exploring options for potential cyberattacks.”
As the war in Ukraine continues, cyberattacks by Russian forces on critical infrastructure could cause serious upheaval. Given the scale of the threat, and a sharp uptick in recent years in cyber crime targeting medical institutions, experts say it’s time for the health care industry to beef up protection.
CISA Director Jen Easterly also released a statement, reiterating the president’s warning, and reinforcing “the urgent need for all organizations, large and small, to act now to protect themselves against malicious cyber activity.” Easterly also pointed to CISA’s “Shields Up” guidelines, which offer technical guidance for large organizations to increase online security.
U.S. hospitals, cognizant of past attacks on their industry and concerned about the growing threat, are working to prevent more attacks, said John Riggi, national advisor for cybersecurity and risk at the American Hospital Association.
The health care industry has trailed other fields in utilizing electronics and cloud-based services, Riggi added. While the financial sector, for example, has been using computers since the 1970s, it’s only within the past decade or so that hospitals have started to rely on electronic records. As a result, the field has had “a big learning curve” in trying to catch up on cybersecurity.
At the beginning of the year, the Healthcare Information and Management Systems Society released its 2021 HIMSS Healthcare Cybersecurity Survey. They spoke to 167 health care cybersecurity professionals and found 67 percent had experienced a “significant security incident” in the past year.
And Emisoft, an antivirus software company, found that at least 68 health care providers and more than 1,200 sites suffered ransomware attacks last year.
As in many other industries, the pandemic hastened the rollout of virtual and internet-connected devices in hospitals, and ratcheted up reliance on cloud-based services. The rapid technical evolution gave hackers substantially more opportunities to break into hospital networks.
Cybersecurity at hospitals has been concerning for years, said Jessica Kamerer, head of nursing at Robert Morris University.
“It was a big problem before COVID or wars, and I think it’s been exacerbated since,” Kamerer said.
Kamerer and Donna McDermott, who is an associate professor of clinical at the University of Miami School of Nursing and Health Studies, have been researching cybersecurity in health care for about three years. In their research, they focus on the ways nurses interact with cybersecurity and how they should improve their cyber hygiene.
“I feel like we scratched the surface and went ‘Oh my god.’ Like we realized what was really going on and the vulnerability of systems,” Kamerer said.
McDermott agrees. “We started with a literature review, just looking at the literature to see what’s out there and then kind of reviewed what the threats were. And it’s one of those things, the more you learn about it, the more – I don’t know if horrified is the right word. But you’re like, why aren’t we doing more?”
When people think about being hacked, they often worry about their credit card or bank accounts being compromised. But health data can be more valuable to hackers than financial data, said Darrell West, vice president and director of governance studies and senior fellow of center tech innovation at The Brookings Institution.
“If your medical records get hacked, you may have embarrassing information that is made public. There’s financial information, credit card information within health care records. So there’s actually a lot of vulnerability,” West said.
A cyberattack can take many forms, including stealing and releasing or selling personal information, but ransomware is particularly worrisome. That’s when a hacker locks down networks and demands the victim pay a ransom to bring systems back online. In a health care environment, systems shutting down can have dangerous consequences.
Even if hospitals are not the direct targets of cyberattacks, Riggi said, they could be collateral damage if Russian hacker groups retaliate more broadly for U.S. sanctions on industries like energy or finance.
In 2020 the University of Vermont Medical Center was collateral damage in an attack when an employee took a work device on vacation and opened a personal email from their homeowner’s association which had been hacked. That allowed malware to spread to the hospital’s network. The attack cost the hospital between $40 and $50 million to resolve.
“We see the Russians are bombing hospitals – they’re literally bombing hospitals in Ukraine. You think they care if an errant cyber weapon strays and hits a U.S. hospital?” Riggi said.
READ MORE: How ransomware attacks are roiling the cyber insurance industry
If a hospital is affected by a cyberattack, the consequences can be life-threatening. A 2019 study found that the death rate among heart attack patients increased in the months and years after a hospital experienced a data breach.
Cyberattacks can also force hospitals to divert ambulances to clinics that are farther away, if they don’t have functioning intake systems. Electronic patient charts could be made inaccessible, making it difficult for medical professionals to see patient histories and be aware of allergies. And cloud-based medical technologies can be taken offline in a hack, rendering them unusable.
In spring 2021, cancer patients across the U.S. were forced to postpone treatment after a cyberattack. Elekta, a Swedish company that provides software for machines required for radiation therapy, was hacked, taking cloud-based technology for 40 large health care systems offline, said Riggi.
Elekta spokesperson Raven Canzeri said she couldn’t discuss the details of the attack “for the safety and security of our customers and their patients.” However, she said that Elekta has taken steps to fortify its cyber defenses, including employing “the latest and most stringent cloud and security features, including multi-layer threat protection, automated security detection and response.” She added they’re continuing to work to strengthen and improve security.
Riggi said he’s asked frequently whether one type of hospital is more at risk than another – rural versus urban, large versus small, for example. He says all hospitals are at equal risk unless they protect themselves from attacks. Rural hospitals might be easier targets because they may have fewer resources devoted to information technology infrastructure. But urban hospitals often serve more people, with more data at risk.
The AHA– the American Hospital Association– has taken steps to help hospitals beef up their cyber defenses, Riggi said, and in the past three years in particular, he’s noticed the industry taking the issue seriously, something he attributes to the “battle scars” of the recent uptick in attacks.
Among the recommendations Riggi has made are restricting all internet traffic from Russia, Ukraine and other parts of Eastern Europe; eliminating access to personal email and social media on hospital devices and networks; and updating software with patches as soon as they’re available.
But humans are fallible, and no organization can protect themselves completely, West said.
“The weak link in every cyber defense is the human element. All of us are at risk of clicking on the wrong link.” And, he added, cyberattacks often take months — or longer — to detect. On average, it takes 236 days to detect an intrusion, he said.
“It’s the perfect stealth crime,” he said.
That’s why organizations should be prepared, Riggi said. Hospitals and hospital systems should strengthen their incident detection systems so they can know immediately if they’ve been hit. They should have multiple offline, secure copies of important electronic information. And their incident response plans should prepare for not days of being offline, but for at least four weeks.
And Kamerer and McDermott say nurses need continuing education courses on cybersecurity, since they comprise the bulk of hospital staff. Nurses could also be called upon to educate their patients about cybersecurity and their electronic health records, McDermott added.
“Especially our elderly patients, you know, someone calls them on the phone and says, ‘I need this information.’ They’re giving it out,” McDermott said. Fake billing problems in particular can trick patients into divulging information, Kamerer said.
The HIMSS survey showed that nearly 60 percent of respondents said their cybersecurity budget would increase in 2022 — though right now, six percent or less of respondents’ IT budgets are typically devoted to cybersecurity.
And in 2021, the report notes, only 78 percent said their organization had fully implemented antivirus or anti-malware systems, and only 43 percent said there was full implementation of intrusion detection and prevention systems. “A lack of IDPS implementation may mean a delayed response to active security incidents,” the report says.
The Washington Post reported that three cybersecurity companies — Cloudflare, CrowdStrike and Ping Identity — are offering their services to health care organizations and utilities for four months.
And it’s imperative that organizations and individuals are as prepared as possible, West said, because cyberattacks are coming.
“I wake up every day assuming at some point I’m going to get hacked. So it’s just a question of when,” he said.
“Or maybe it’s already happened and I just don’t know it.”
Left: Photo by Tetra Images/via Getty images
By Associated Press
By Associated Press
By Yuras Karmanau, Associated Press
By Eric Tucker, Associated Press
Hannah Grabenstein Hannah Grabenstein
Support Provided By: Learn more
Subscribe to Here’s the Deal, our politics newsletter for analysis you won’t find anywhere else.
Thank you. Please check your inbox to confirm.
Additional Support Provided By:
Nation Feb 22
© 1996 – 2022 NewsHour Productions LLC. All Rights Reserved.
Sections
About
Stay Connected
Subscribe to ‘Here’s the Deal,’ our politics newsletter
Thank you. Please check your inbox to confirm.
Learn more about Friends of the NewsHour.
Support for NewsHour Provided By