The heightened risk environment includes the possibility of being targeted directly or being impacted by malware that spreads from other sectors.
U.S. hospitals should be on alert as global events potentially increase the risk of cyberattacks, according to recent advisories.
Russia’s ongoing invasion of Ukraine has led to economic sanctions and other retaliatory steps by the United States, Europe and others. It’s possible that Russia, in turn, would retaliate by launching cyberattacks against the West.
Hospitals could be among the targets, given their vital societal role.
The federal Cybersecurity & Infrastructure Security Agency (CISA) has issued a “Shields Up” bulletin to all U.S. businesses, stating, “Every organization — large and small — must be prepared to respond to disruptive cyber activity.”
The bulletin provides guidance on how an organization can:
- Reduce the likelihood of a damaging cyber intrusion
- Take steps to quickly detect a potential intrusion
- Ensure the organization is prepared to respond if an intrusion occurs
- Maximize the organization’s resilience to a destructive cyber incident
The bulletin also includes tips specific to leaders and CEOs, including the need to:
- Empower chief information security officers
- Lower reporting thresholds
- Participate in a test of response plans
- Focus on continuity
- Plan for the worst
CISA also has issued guidance on specifically understanding and mitigating Russian state-sponsored threats to U.S. critical infrastructure.
AHA says hospitals face several levels of risk
The American Hospital Association (AHA) issued an advisory, noting that in addition to possibly being directly targeted by Russian state-sponsored actors, hospitals and health systems could be affected if malware or destructive ransomware is initiated overseas or in another sector and then “inadvertently penetrates U.S. healthcare entities.”
The latter scenario played out in 2017, when Russia launched the destructive NotPetya malware against Ukraine. “The malware subsequently spread globally, disrupting operations at a major U.S. pharmaceutical company, a major U.S. healthcare communications company and U.S. hospitals,” the AHA stated.
A cyberattack also could "disrupt hospitals’ mission-critical service providers,” such as utility companies, the AHA stated.
The AHA recommended that hospitals immediately take several steps, including ensuring their IT and cyber infrastructure teams have access to the latest news and guidance. Specific best practices include:
- Monitoring for unusual network traffic or activity, especially around active directories, and ensuring staff are aware of the increased risk of receiving malware-laden phishing emails
- Implementing geo-fencing for all inbound and outbound traffic originating from, and related to, Ukraine and its surrounding region, although such a step may not lower indirect risk from malware targeting other regions or sectors (March 1 update: CISA in January issued a bulletin from Microsoft about destructive malware targeting Ukrainian organizations and on Feb. 26 issued an advisory about two instances of malware that have been deployed against organizations in Ukraine and can "destroy computer systems and render them inoperable")
- Identifying all internal and third-party mission-critical clinical and operational services and technology, and preparing four-to-six-week business continuity plans and well-practiced downtime procedures in the event those services or technologies are disrupted
- Checking the redundancy, resiliency and security of network and data backups and ensuring that copies exist offline, on the premises and in the cloud — with at least one immutable copy — and are network-segmented
- Documenting, updating and practicing a cross-functional, leadership-level cyber incident response that includes emergency communications plans and systems