On April 20, soon after the United States levied economic sanctions against Russia in response to that country’s invasion of Ukraine, the U.S. Department of Homeland Security issued a security warning: Malicious actors, including the Russian government, are exploring possible cyberattacks against targets in the United States.
The statement cautions that the health care sector is high on the list of possible targets. Concerns include ransomware — the remote lockdown of a network until a fee is paid — as well as malware that permanently erases affected files such as patient records.
“After an attack, it can take at least four weeks to get back online…. I have not yet encountered a single organization that is fully prepared to be offline for that long.”
Teaching hospitals are prime targets for many reasons, including the sophisticated biomedical research they conduct and the life-and-death nature of their work, says John Riggi, a former senior executive at the FBI’s Cyber Division who now supports hospitals’ cybersecurity efforts as the American Hospital Association’s advisor for cybersecurity and risk. They also house high-value digital assets: personal health information, credit card numbers, and more.
“Health care has data that could be invaluable to adversaries seeking information about U.S. military and government leaders,” says Riggi, who spent nearly three decades at the FBI.
The health care sector also could suffer as collateral damage in a Russian cyberattack aimed at Ukraine. “Even though the war may seem far away, a computer virus can spread globally just like a biological virus,” warns Riggi. In fact, in 2017, a Russian cyberattack against Ukraine quickly shut down medical transcription and billing services used by thousands of U.S. providers.
Cyberattacks on medicine have been growing for years as electronic health records and other digital tools expanded systems’ vulnerability, experts note. “It used to be impossible for Russian criminals to steal a truckload of patient records, but with the internet, they became able to access what amounts to tens of truckloads,” says Riggi.
And then COVID-19 hit, straining staff, diverting resources, and increasing vulnerabilities through telework and remote care.
“Adversaries haven’t given us a humanitarian pause during the pandemic,” says Riggi. “Instead, they viewed it as an expanded opportunity.” Reported cybertheft of protected health information affected a record 43 million people in the United States in 2021, and from March 2022 to April, such attacks leapt by 100%, he adds.
What’s more, an attack can require diverting ambulances, postponing crucial care, and investing months of major work to restore downed systems.
That’s why a strong arsenal of digital defenses is crucial for protecting patients, providers, and communities, say cybersecurity experts. Below, Riggi outlines five key steps he believes every teaching hospital needs to take — and soon.
1. Set up some essential technologies.
No hospital should sidestep commonplace cyberdefenses such as firewalls or frequently updated antivirus software. But the less widespread tool of multifactor authentication — often a passcode delivered to a cellphone before staff can access a computer system — is inexpensive and quite effective in reducing malicious attacks.
Of course, it’s impossible to prevent all cyberattacks, Riggi notes, so installing an intrusion detection system (IDS) also is critical. These artificial intelligence programs map a system’s normal traffic, then automatically swoop in to halt anomalous conduct — and alert IT staff to a potential break-in.
2. Ignore patches at your peril.
In the digital world, software changes — “patches” — are constantly needed to repair security holes. And cybercriminals stand ready to pounce on software vulnerabilities that come from the lack of patching.
“A hospital may use multiple medical devices, each with 40 different companies’ software in it, as well as common software packages like Microsoft Office. All of these need patches,” says Riggi.
“From the time a company publishes a necessary patch, it takes criminals only about two weeks to develop related malware,” Riggi adds. So hospitals must act quickly when a patch is released, ensuring rapid coordination between IT staff and the biomedical engineering experts responsible for updating a vast range of devices.
3. Consider the human factor.
A hospital’s employees can be among its weakest links or its strongest defenses. That means staff need continual awareness training on how to identify suspicious activities like phishing emails and malicious links.
But that’s hardly enough, says Riggi.
One crucial concern is that personal email and social media accounts are not as well-protected as a hospital’s own network. “I know of at least two statewide, high-impact ransomware attacks on hospitals that started because of a phishing email in an employee’s personal email that was accessed on an organizational device,” he says.
He offers strong words of advice: “Institutions need to seriously consider prohibiting employees from accessing personal email and social media accounts from organizational devices. Places have started doing that.”
4. Figure out infection control.
If a malicious virus does manage to infect a system, all is not necessarily lost, says Riggi.
To ensure that locked or corrupted files can be replaced, back up systems — and do it right. Multiple copies of files are necessary, and at least some need to be housed offline. “And one copy should be immutable: the data is basically carved in digital stone so it can never be changed. That’s a relatively new development and a little more expensive, but it is a possible failsafe,” Riggi adds.
Another crucial move is segmentation: dividing a computer network into smaller sections. That way, security staff can quarantine the one infected portion rather than shut down the entire system.
5. Fail to plan, plan to fail.
Every hospital has an incident response plan to deal with such crises as active shooters, natural disasters, and a pandemic like COVID-19. A digital attack should be no different, says Riggi.
“After an attack, it can take at least four weeks to get back online, just for mission-critical functions,” he notes. “I have not yet encountered a single organization that is fully prepared to be offline for that long.”
What’s more, all departments need to be prepared for a cyberattack. “This is not just an IT matter,” he says.
The list of issues is long. To start: How will staff get paid? How will they schedule appointments? What about providing remote patient care and connecting with offsite employees? When malicious code is suspected, who can make a middle-of-the-night decision to shut the system down or disconnect an entire organization from the internet? And what’s the effect on operations and patient care when that high-impact decision is made?
A plan needs to include contacting federal officials — the FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency — for necessary post-attack support. And it needs to involve any local institutions that could be affected if a hospital gets hit.
“When one academic medical center went dark a couple of years ago, all the smaller hospitals throughout the state were brought to their knees because they depended so heavily on that hospital’s medical technology for lab, imaging, cancer treatment, and other services,” says Riggi. “That’s a very serious situation which delayed patient care and potentially risked patient safety.”