Healthcare’s cybersecurity stakes reach alarming levels
A cyberattack in early October on CommonSpirit, the second largest U.S. nonprofit hospital chain, disrupting its medical services nationwide, underscores the very real and growing risk our nation’s healthcare system faces from cybercrime.
The threats to U.S. healthcare organizations from cyberattacks were already on the rise before COVID-19. But they have grown dramatically as a result of the pandemic. Major contributors to rising risk were the rush to respond to the need for telemedicine services and the shift of many staff to remote workplaces.
“Hospitals had to stand up unplanned technology investments in a hurry in ways that could not conform to proper risk management or hardened security,” said Joshua Corman, vice president, cybersafety strategy, for the cybersecurity firm Claroty, based in New York, and founder of I Am the Cavalry, a grassroots organization focused on cybersecurity issues. “So out of a pandemic-induced necessity, we had an increased attack surface that was less well defended.”
The increased vulnerability of hospitals and health systems was an invitation to cybercriminals to turn their attention to healthcare.
“We have a larger volume and variety of attackers willing and able to deliberately target health delivery organizations, knowing full well their targets would pay money to get their services restored, resulting in record-high ransom activity on health delivery,” Corman said.
In the face of this reality, it’s no surprise that Corman and other cybersecurity experts share the same fundamental message for hospital and health system leaders: Take the threats seriously. The risks to your patients and your organization are simply too great to take a chance that your organization will somehow fly below the radar of cybercriminals.
The nature of the threat
Healthcare organizations were not insensitive to the increased cybersecurity risk resulting from the rapid deployment and expansion of network and internet technology.
“Most organizations understood that this rapid deployment and expansion of network and internet technology created additional cyber-risk,” said John Riggi, national adviser for cybersecurity and risk for the American Hospital Association, and a decorated veteran of the FBI with nearly 30 years of experience. “But in the midst of the pandemic, our nation’s hospitals and health systems had to focus on job one, which is taking care of patients and saving lives.”
Riggi pointed to two ways the greater reliance on network and internet-connected technology increased cyber-risk for providers: “First, the technology may contain technical vulnerabilities that cyberadversaries could exploit to penetrate our networks and steal sensitive data or to deliver highly disruptive ransomware attacks. Second, our increased operational dependency on that technology creates vulnerability and risk when the technology is no longer available, such as during a ransomware attack.”
As a result, he said, “Our cyberadversaries, both sophisticated foreign-based cybercriminal gangs and hostile nation-state intelligence and military services, saw the pandemic as an opportunity to increase attacks on us as we dealt with this global health emergency.”
In many cases, network defenders were unaware of vulnerabilities, he said.
“Sophisticated intelligence services from Russia and China, for example, were exploiting vulnerabilities in widely used VPNs [virtual private networks], before patches were widely available,” Riggi said. “These actors also were exploiting other complex vulnerabilities to target sensitive medical research on COVID, vaccine research and genomics, among other areas.”
When one also considers the increasing high-impact attacks by cybercriminals seeking to extort ransom payments by disrupting and delaying healthcare delivery, it is apparent that prioritizing investments in cybersecurity is prudent and necessary for hospitals and health systems, Riggi said. The costs to remediate and recover from a high-impact ransomware attack could be huge, amounting to more than $100 million in some instances.a
A big job, limited resources
Hospitals face this challenge at a time when resources to respond are scarce.
“Ideally, we would like to obtain a utopian state where we are completely safe from cyberattacks,” Riggi said. “But that state will never occur. No organization will ever be 100% immune from cyberattacks. And one of the big challenges healthcare faces in defending against cyberattacks is a severe shortage of cybersecurity professionals. We in healthcare, along with every critical infrastructure sector and the U.S. government, are competing for a very limited pool of trained cybersecurity professionals.”
This concern also was raised by Jesse Fasolo, director, technology infrastructure and cybersecurity, and information security officer for St. Joseph’s Health in Paterson, New Jersey.
“As new cybersecurity products and partners are made available each day, a gap is forming in the availability of cybersecurity professionals on the free market to recruit,” Fasolo said. “Also, retaining high-performing technology and information security talent is becoming more complex. This gap eventually impacts the management and administration of the products, partner solutions and security programs, resulting in a false sense of security.”
A new, graver reality
The urgency for action is not limited to the financial risk. Rather, the stakes have reached a new and distressing level, Corman said.
During the height of the pandemic, Corman served as full-time chief strategist on the COVID Task Force for the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), which gave him the opportunity to study data on the alarming new consequences of cyberattacks.
“When I joined the CISA COVID task force, our assignment was to protect the vaccine, supply chains, diagnostics and therapeutics for Operation Warp Speed from disruption,” Corman said. “But we also studied the impact of hospital strain on excess deaths as measured by the CDC, and it became clear that during some protracted downtime for certain ransom attacks, we had the first statistical proof that a ransomware attack can distress a hospital sufficiently to contribute to loss of life. So the notion that no one’s ever died from a cyberattack was sufficiently settled.”b
Policymakers are taking notice
In his role at CISA, Corman was able to share his concerns with policymakers, and he found a receptive ear.
“I testified before the Senate Health Committee about the loss of life from cyberattacks,” he said. “The hearings seem to have engendered bipartisan support in both the House and the Senate to have some pretty bold policy action legislatively. There’s the PATCH Act for medical device hygiene that is being considered, for example, and some others coming shortly for hospital minimum [cyber] hygiene standards that may come with stimulus to help hospitals meet those minimums.”
Corman said he thinks it is likely the industry will see negligence standards and/or minimum hygiene standards defined in the next three to five years. And that leaves healthcare organizations with a choice.
“These standards may come about through legislative action currently underway, such as the PATCH Act,” he said. “And if hospitals and health systems embrace such actions and support them, they are likely to see stimulus and assistance and grace periods and safe-harbor clauses. Or it may come about as a result of civil suits, and potentially class-action suits, for victims of delayed care caused by a cyberattack’s disruptions, resulting in case law by a jury without stimulus money and without safe harbor.”
This situation underscores the need for providers to support legislative initiatives like the PATCH Act, and to not be swayed by the voices suggesting such a measure would be too much trouble or too expensive, Corman said.
However, as cybersecurity requirements and mandates evolve, it is imperative for hospitals to understand and be prepared for the effects of a ransom attack on medical technology used for critical patient care, he said.
“We know that before these technologies, doctors and nurses could handle X number of patients, and now, with the technologies, they can handle Y number of patients. And the difference between X and Y should be accounted for when your technology fails you,” said Corman. “One could argue that in cases where cyberattacks have been shown to have resulted in deaths, the hospitals should have reduced the total number of admitted patients while the systems were down. And not to have done so increased their liability.”
Corman also urged people to become familiar with what CISA calls bad practices.
CISA’s 3 bad practices for cybersecurity
The federal Cybersecurity and Infrastructure Security Agency (CISA) has highlighted the following as bad practices, noting that such practices are “dangerous and significantly elevate risk to national security, national economic security and national public health and safety.” CISA also notes that each of these practices “is especially egregious in technologies accessible from the Internet” (cisa.gov/BadPractices):
- Use of unsupported (or end-of-life) software in service of critical infrastructure and national critical functions (NCF)
- Use of known/fixed/default passwords and credentials in service of critical infrastructure and NCF
- Use of single-factor authentication for remote or administrative access to systems supporting the operation of critical infrastructure and NCF
“It’s not enough to look at best practices,” he said. “At CISA, we thought it was important to identify the most dangerous practices in critical infrastructure, which are all too common. It’s time to start hard conversations about addressing them, because too many organizations are not taking them seriously. But insurers, credit rating agencies and regulators recognize the dangers and will hold organizations accountable for them — as will lawyers, in the courts.”
Lessons from best actors
To be proactive about cybersecurity, organizations must work to identify the cyberthreats that pose the most immediate and severe risk, Riggi said.
“And the focus should be first on those cyberthreats that pose a direct risk to patient care delivery and patient safety, second on the privacy and security of patient data and third on other business operations,” he said.
For those organizations that have the best cybersecurity posture, their success can be attributed to recognition by their leadership and boards of the strategic nature and potential impact of the cyberthreats they face, Riggi said.
“It must be a leadership priority and imperative to bolster cybersecurity by developing a strategy to imbue the organization with a culture of cybersecurity,” he said. “Here’s why: The majority of these attacks start not with a technological attack, but with what I call a psychological attack on the end user. The bad guys usually initiate the attack by sending a phishing email to unsuspecting staff members in an attempt to deceive them into clicking on a malicious link or attachment.”
Riggi points to three essentials for meeting this challenge:
- Leadership recognition of the issue and support for a strong approach to ensuring cyber hygiene
- An organizational culture where everyone understands that good cyber hygiene is as important as
- A commitment to understand and objectively evaluate the organization’s current cybersecurity posture and to allocate sufficient resources to enhance the posture as needed
“Organizations should understand how safe or unsafe they are based upon recognized cybersecurity standards,” Riggi said.c “They should objectively evaluate their cyber-risk profile based on their network connections, the nature of the data they hold and the types of patients they treat.”
But it doesn’t stop there, Riggi emphasized. There are certain things all provider organizations must do if they have any hope of obtaining insurance to cover the cost of a cyberattack, he said, noting that insurers are becoming in effect the de facto regulators of healthcare cybersecurity.
“The first thing organizations need is multifactor authentication at every level, for all remote network access, remote access to email and any type of remote technology access,” he said. “Quite frankly, the message we are hearing from the cyberinsurance industry is, if you don’t have strong multifactor authentication in place, you’re not insurable.
“We also strongly recommend network segmentation — basically creating digital compartments, so should there be a breach in one area of the network, you can seal it off and contain it.”
Other requirements include intrusion detection systems, vulnerability management programs and third-party risk management programs.
Riggi acknowledges there is a financial cost for all these measures.
“But the calculus will always show that it is worth the investment,” he said.
Engaged finance leaders needed
All three industry experts stressed the need for finance leaders to be engaged in cybersecurity efforts.
“Finance leaders need to look at the reputational loss that would occur given a cybersecurity incident and the actual cost of an incident,” Fasolo said. “They need to support greater investment in training and education, more resources in cybersecurity and risk, and upgrades to all legacy technology and vulnerable devices. While this may initially seem like a significant expense, it will pay off in the long run when the customers maintain trust with the health system holding their data.”
The problem is that, in the healthcare setting, finance leaders are often not looped into what cybersecurity risks are present and what an incident would mean to the organization until it is too late, Fasolo said.
“While budgets are made available for various tools to protect and prevent, there needs to be more training and awareness of the downsides of not having adequate measures in place, not maintaining legacy systems or decreasing cybersecurity training due to bust operations,” he said.
No time for delayed action
Cybersecurity experts agree that the threat of continuing cyberattacks on our nation’s healthcare system is real, and it demands awareness and action.
Riggi’s message for hospital finance leaders: “Be actively engaged with your cybersecurity team. I would also suggest organizations develop cybersecurity steering committees with participation from leaders from every function in the organization. I would sum it up with the motto, ‘When it comes to cyberthreats, be acutely aware so you can prepare.’”
Corman had the following message: “I have incredible sympathy and empathy for hospitals that went through the pandemic and just took a financial beating from it. They were strained and stressed before the pandemic, and they’ve been bludgeoned during the pandemic. But unfortunately, they simply can’t choose to skimp on cybersecurity. It’s too dangerous.
“And the time to act is now while there’s the political will to help.”
a. Staff writers, “Tenet Healthcare cyberattack cost $100 million,” Security, Aug. 1, 2022.
b. CISA Insights, “Provide medical care is in critical condition: Analysis and stakeholder decision support to minimize further harm,” September 2021; and French, G., et al, “Impact of hospital strain on excess deaths during the COVID-19 pandemic — United States, July 2020–July 2021,” CDC Morbidity and Mortality Weekly Report, Nov. 19, 2021.
c. Suggested resources include the U.S. Department of Commerce’s NIST cybersecurity framework (nist.gov/cybersecurity) and HHS’s Health Industry Cybersecurity Practices (405d.hhs.gov/resources).
Cybersecurity is not just an IT issue
Today, healthcare faces many challenges in protecting patient information and meeting regulatory compliance expectations. While organizations have invested over the past decade in technology, many haven’t invested to fully implement and integrate security technology throughout their system and technology environment.
For many finance leaders, there’s a need to change the way they see cybersecurity, said Michael Ebert, a partner with McLean, Va.-based Guidehouse’s Technology Advisory Cybersecurity practice.
“Cybersecurity is too often viewed as an IT problem and placed inappropriately in that domain, instead of a compliance and patient engagement and safety domain,” Ebert said. “Cyber must be approached as a continuous journey needing consistent support, people and IT investment.”
When IT personnel see it as a technology issue, there tends to be a heavy investment in tools with very limited focus on implementing those tools to fully gain the benefits from the investment.
“As a result, we find years later that technology licensing is being paid for with very low penetration into the environment, if any at all,” Ebert said.
Because of HIPAA’s security and privacy rules, cybersecurity is often equated with privacy and the need to manage and protect patient data, Ebert suggested. But he concurs with other cybersecurity experts that focus on protecting patients from harm also is imperative.
“Patient safety is improved by managing access to care systems — including medical devices — appropriately and securely to ensure clinicians have essential and timely access to systems and information to improve patient care and outcomes,” he said.
“With cyberfatigue hitting many boards and executives in healthcare, questions about the value of these programs are returning,” Ebert said. “But the days of believing you can prevent a breach are over.”
Instead, organizations need to focus on identifying threats and containing them using what Ebert refers to as the cybersecurity “big five:”
- Asset intelligence
- Security architecture and network segmentation
- Privilege access management
- Identity access management
- Vulnerability and patch management
“The industry has gotten away from these basics with fancy new tools and technology at the peril of truly reducing our risk and exposure for organizations.” Ebert said.
Healthcare leaders give voice to importance of a commitment to cybersecurity
Many hospital and health system leaders recognize the need to make cybersecurity a centerpiece of their organizations’ strategies, and industry thought leaders strongly advocate for such an approach. Several leaders of healthcare organizations provide insight into cybersecurity challenges the industry is facing and what is needed to combat them. Their overriding message: Cybersecurity should be a top concern for every healthcare organization.
Anis Trabelsi, MAM, BSCJ, CIO, Palomar Health, San Diego
The biggest challenge I see in maintaining cybersecurity is finding qualified cybersecurity professionals to hire. Cybersecurity is a top priority across our C-suite leadership and board members, who are actively seeking to better understand the global threat landscape and to build a cybersecurity program with the teams needed to assist in managing these risks.
Here are key initiatives we are working on:
- Making sure that we view cybersecurity as a broad business concern and not an IT issue
- Building cybersecurity and data privacy into agendas across the C-suite and board discussions
- Increasing investment to improve our security posture and defenses
- Providing cybersecurity awareness training for all staff
- Ensuring there’s a cyber plan in place for new business initiatives or transformations
- Performing regular risk assessments for technologies and data processing partners
- Implementing an advanced 24/7 security operations center to monitor security alerts and assist in response
Gerry Blass, president and CEO, ComplyAssistant, Colts Neck, New Jersey
At a high level, hospitals and health systems continue to be challenged to budget enough dollars and people resources for the controls needed to reduce cybersecurity risks — whether it’s for information privacy and security or patient safety. But with the potential consequences of a cyberattack and the growing frequency of such attacks in healthcare, making such an investment is necessary. All this means that it’s critical for these organizations’ finance leaders to be part of regular IT meetings , as well as steering committee meetings that are focused on cybersecurity. Finance leaders need to be aware of risks and the potential costs (in terms of dollars and patient harm) of an incident such as a ransomware attack.
Steven Goriah, DHA, FACHE, CHCIO, CIO, HFMA in Downers Grove, Illinois, and principal, Ingenuity Group, New York City
Cybersecurity should be at the highest level of concern for a hospital or health system as a breach can bring the entire operation to a halt. The risk is ever-present, as evidenced by an “IT security incident” reported just recently affecting Chicago-based CommonSpirit Health.
That’s why security must be part of the culture of an organization where all employees at every level of the organization are engaged in cybersecurity initiatives.
A robust security program must address a broad range of challenges, including ransomware attacks, third-party exposure, poor cyber hygiene, cloud security, biomedical device exposure, and mobile device and IoT [Internet of Things] vulnerabilities while dealing with budget constraints and low executive engagement. A prescriptive framework, such as the HITRUST or NIST CSF [National Institute of Standards and Technology cybersecurity framework] , can help an organization address these challenges.
Francois Bodhuin, associate vice president and CISO, Inspira Health, Bridgeton, New Jersey
We have many challenges related to information security in the healthcare space. There are four specific challenges that keep me awake at night, and I think most executives charged with cybersecurity would agree:
There is a lack of qualified resources. This is a huge problem right now, particularly pertaining to the staffing crisis. Many workers come in with little to no experience, which makes information security taxing.
Healthcare has become a much bigger target for security risk. Not surprisingly, our industry is one of the most vulnerable when it comes to threat of cyberattacks, with research showing that healthcare had the highest average data breach cost of any industry for the 12th year in a row, at $10.10 million.
The human factor is the weakest point in the security chain. We can do all the training in the world, but it just takes one wrong move from a user to hurt the organization.
Cyber insurance requirements have increased. Regardless of the premium or qualification, if you don’t have safeguards in place, your organization might not qualify.