The alarm is sounding for cybersecurity attacks. In late February, the Cybersecurity and Infrastructure Security Agency (CISA) issued a rare warning that the Russian government could launch cyberattacks against the US economy – including the health care sector. One month later, President Joe Biden publicly warned that Russian cyberattacks are “coming.” Given these warnings, how worried should hospitals be?
The threat explained: Russia is no stranger to deploying cyberattacks. In the days leading up to Russia’s invasion of Ukraine on February 24, 2022, a series of Russian cyberattacks temporarily shut down websites for some Ukrainian banks and deleted data at multiple Ukrainian government agencies. Since then, US government officials have expressed concern that Russia is preparing to launch cyberattacks against the US in retaliation for heavy sanctions levied against the Kremlin in response to the invasion of Ukraine. However, the federal government has yet to offer any evidence of an anticipated specific cyberattack.
Cyberattacks aren’t new to the health care industry. In 2017, Russian-backed hackers launched a destructive malware called “NotPetya” initially targeted at Ukrainian interests that went on to infect several US-based health care stakeholders like Merck Pharmaceuticals and Heritage Valley Health System. During the COVID-19 pandemic, the number of cyberattacks against US hospitals surged, with an estimated 50 million people in the US had their sensitive health data breached in 2021. According to a survey of information technology professionals, in 2020 more than a third of health care organizations reported that they were hit by ransomware attacks, which is when hackers use encryption to hold a victim’s information at ransom.
Unfortunately, the health care sector is attractive target for cyberattackers. Hospitals dealing with ransomware attacks are often pressured to pay hackers because they otherwise wouldn’t be able to operate. And while some hospitals have invested in security-monitoring capabilities and new software over the past few years, most health care organizations have meager cybersecurity budgets and remain vulnerable to attacks. Compounding these vulnerabilities is the COVID-19 pandemic, which has overwhelmed hospitals with patients and strained hospitals’ budget, leaving fewer resources available for cybersecurity.
Congress and the Biden administration has proposed some steps to shore up the nation’s cybersecurity. The Build Back Better Act (BBBA) included more than $500 million in cybersecurity funding, and President Biden’s Fiscal Year (FY) 2023 budget request calls for $11 billion in new cybersecurity spending. Most recently, Sens. Jacky Rosen (D-NV) and Bill Cassidy (R-LA) introduced a bill to improve the health care industry’s cyber-defenses by requiring CISA to partner with the Department of Health and Human Services (HHS). However, next steps for these proposals aren’t exactly promising – the BBBA is stalled in its current format, the president’s budget request is generally considered a wish list, and the cybersecurity bill has yet to add any cosponsors since its introduction on March 23.
Absent action from the federal government, there are steps hospitals can take to boost their defense against cyberattacks, as outlined in an American Hospital Association (AHA) advisory notice on the CISA warning.
- Increase network monitoring for unusual activity.
- Flag all inbound and outbound traffic from Ukraine and the surrounding area.
- Implement four-to-six-week business continuing plans, with an emphasis on all internal and third-party mission-critical clinical and operational services and technology.
- Check networks for redundancy, resilience, and security and create multiple data back-ups.
There is a chance that Russian hackers will leave the US health care system alone. While Russia has certainly become more belligerent in cyberspace over the last decade, cyberattacks against Ukraine have been more limited than intelligence and defense experts have anticipated. In fact, some experts say Russia’s cyber-forces may actually be overhyped and in a state of disarray – similar to Russia’s armed forces.
But hospitals can’t rely on hope to stay safe from hackers. If the experience of the last few years says anything, it’s that the health care system isn’t immune to cyberattacks, and that stakeholders would do best to prepare for the worst.