There is a long list of health-care entities recently hit by ransomware attackers, who are increasingly striking the sector, at times with massive impact or highly personal threats. A ransomware attack recently disrupted medical blood supply in the Southeastern states. In February, ransomware caused nationwide crises for patients when it struck Change Healthcare. In January, ransomware actors threatened to SWAT cancer patients.
Strengthening the health-care sector against cyber attacks will require more resources for struggling organizations along with taking a systemwide approach, and efforts to do that are underway.
Attacking hospitals has long been off limits in wartime, but in cyberspace, attackers treat health care like just another target, said Brian Mazanec, deputy director of the Office of Preparedness at the federal Department of Health and Human Services’ Administration for Strategic Preparedness and Response (ASPR).
“Attacks [against health care] have been increasing in frequency, in sophistication, in severity [and] in the diversity of targets,” Mazanec said.
Victims range from hospitals to third parties supporting the sector. Not all victims report incidents, but based on available information, health care is among the top three most targeted of the 16 critical infrastructure sectors, Mazanec said.
Until recently, ransomware attacks against health-care providers seemed largely the result of indiscriminate, mass phishing attacks in which perpetrators hit any organizations they could, said Health-ISAC CISO Errol Weiss. But recent attacks on OneBlood, Synnovis and Octapharma indicate hackers are specifically targeting major health-care suppliers to cause widespread disruptions that increase pressures to pay.
Small entities like health centers have little money, but perpetrators seem to find cyber attacks easy enough for even smaller payouts to be worthwhile, said Dr. Julia Skapik. Skapik is the chief medical information officer of the National Association of Community Health Centers and a practitioner at the Neighborhood Health Center in Alexandria, Va.
CHALLENGES
Health-care providers face steep pressures to pay ransoms, “because if they don’t, people can die,” Mazanec said. Some organizations are at particular risk: complex, legacy health-care IT setups can be hard to maintain or update, and small rural health-care organizations often have little money for cybersecurity.
"The idea of having a chief information security officer is very lovely, but in an organization that doesn’t have a huge number of staff, it’s really a challenge to be able to marshal those kinds of resources,” Skapik said.
Some larger health centers have cybersecurity professionals, but they may be newer to the field. And the centers may still lack around-the-clock cybersecurity support, Skapik said. Typically, cybersecurity is a responsibility added to existing IT workloads, which can cause backlogs.
Such multi-hatted professionals have little time to hunt for available resources, so ASPR is raising awareness about federally provided free cybersecurity tools and technical assistance, Mazanec said. His team also shares alerts about new ransomware tactics, techniques and procedures. And Weiss’ Health-ISAC shares alerts and advisories with its global membership.
Collaborations help but may have limits. Skapik said many health centers get some technical assistance from health center-controlled networks, but those often support dozens of health centers, all of which may have different versions of software. Vendors often charge hefty fees to update software, and they prioritize larger clients over small health centers, she said. Weiss said a grant-funded virtual CISO program could help launch cybersecurity programs that internal IT teams could then maintain. In this vision, one cyber professional would assist up to a dozen providers each year. Skapik said health centers would benefit from help applying for cyber insurance, a process that requires them to attain a minimum cyber posture, which can be costly for small entities.
SECTORWIDE
To make a real difference, experts call for a systemic approach.
A larger effort at the Department of Health and Human Services (HHS) sees it first provide cybersecurity advice to the sector. Next, it aims to offer resources to help follow that advice, and, finally, requirements.
In January, HHS released a set of health-care-specific cybersecurity performance goals for better preventing, responding to and recovering from attack, said Mazanec. These are voluntary and include 10 measures along with 10 enhanced goals for organizations capable of more.
Weiss said the goals are a valuable resource, but making them mandatory is challenging when some organizations lack funds to adopt them. The federal government seems aware; the president’s FY 25 budget would provide $1.3 billion for supporting hospital cybersecurity, if Congress approves. Meanwhile, ASPR is making moves now, like updating the Hospital Preparedness and Response program to specifically support cyber readiness, Mazanec said. HHS is also looking for ways to ultimately mandate a level of cybersecurity.
Other moves are in the works: ASPR is conducting a sectorwide risk assessment, due in January, that will identify needs and inform efforts to create a sector-specific plan, Mazanec said. The agency will also identify organizations that, like Change Healthcare, could cause sectorwide disruptions if they go down, and will reach out to them about cybersecurity resources.
R&D programs are also exploring possible tools that might help health-care providers bounce back faster after attack, such as, theoretically, technologies to help them capture electronic health records while systems are downed.