The U.S. healthcare system is at risk. It is a prime target for cyberattacks, and in the light of the Russian invasion of Ukraine, cybersecurity experts warn that U.S. hospitals and health systems may be directly targeted or become incidental victims of Russian-backed cyber saboteurs.
According to Statista 2022 data, the U.S. medical sector has had the second highest number of data breaches of any industry for more than five years. This became increasingly noticeable in 2019 alone, when the industry experienced 525 data breaches, up from 369 the year before.
The COVID-19 pandemic only exacerbated this issue. And now with the Russia-Ukraine conflict moving inexorably closer to its fourth week, U.S. healthcare organizations are high-value targets that face growing risks from cybersecurity threats, potentially endangering patients’ lives.
On the first day of this month, the cybersecurity program at the U.S. Department of Health and Human Services issued an analysis warning health care information technology (IT) officials about two pieces of Russian malware that could wipe out hospital data vital to patient care.
AHA’s three cyberthreat concerns
The American Hospital Association (AHA) believes that there are three areas of concern for the U.S. healthcare sector:
- Hospitals and health systems may be targeted directly by Russian-sponsored cyber actors.
- Hospitals and health systems may become incidental victims of, or collateral damage to, Russian-deployed malware or destructive ransomware that inadvertently penetrates U.S. health care entities; and
- A cyberattack could disrupt hospitals’ mission-critical service providers.
The AHA’s concerns are “Heightened by the Russian military’s previous behavior of utilizing cyber weapons in support of military actions against Ukraine; such behavior ultimately inflicted disruptive collateral damage to the U.S. health care system, resulting in the U.S. government’s 2020 indictment of six Russian military intelligence officers for the development and deployment of the destructive NotPetya malware three years prior. The malware was initially launched against Ukraine and subsequently spread globally, disrupting operations at a major U.S. pharmaceutical company, a major U.S. health care communications company and U.S. hospitals.”
The impact of ransomware attacks on healthcare
As part of the AHA’s efforts, John Riggi, the association’s national advisor for cybersecurity and risk, and a former senior executive in the Federal Bureau of Investigation’s (FBI) cyber division, remains in close coordination with the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) regarding related threats that may pose a risk to U.S. health care.
"We were issuing advisories to the nation's hospitals and health system, saying the geopolitical tensions would certainly increase the risk of cyberattacks, which would impact potentially U.S. healthcare. The problem is that once malicious programs are released into the wild, there's no telling where they will end up," observed Riggi.
Such attacks have the potential to cost lives, by cutting doctors and nurses off from needed patient data and causing hospitals under attack to delay scheduled procedures and divert critically ill people to other facilities, explained Riggi.
As per a September 2021 survey report sponsored by the healthcare cybersecurity company, Censinet, “22% of healthcare providers report higher patient mortality following a ransomware attack.”
Furthermore, 71% of survey participants said ransomware attacks contributed to longer stays in hospitals, and 70% stated there were delays in diagnostic tests and clinical procedures because of ransomware attacks that caused poor patient care.
AHA recommendations – what healthcare organizations can do to mitigate risks
The AHA and CISA previously issued a number of alerts and bulletins as a part of risk mitigation solutions, which healthcare organizations should review and adopt to better understand the ongoing threat and potential worst-case scenarios. Some of the previous recommendations include network monitoring to identify unusual activity or traffic, particularly around the active directory.
In addition, the AHA advocates for heightened employee awareness around the potential to receive malware-laden phishing emails.
The AHA recommends that healthcare cybersecurity and information technology (IT) teams should apply geo-fencing for inbound and outbound traffic originating from, and related to, Ukraine and its surrounding region, in an attempt to lessen the damage that can be caused by direct cyber threats. Having said so, the AHA warned that this would “have limited impact in reducing indirect risk, in which malware transits through other nations, proxies and third parties.”
Furthermore, the AHA suggests that healthcare providers should work to identify all internal and third-party mission-critical clinical and operational services and technology; “in doing so they should put into place four-to-six week business continuity plans and well-practiced downtime procedures in the event those services or technologies are disrupted by a cyberattack.”
The AHA believes it is the opportune moment to recheck the redundancy, resiliency and security of hospitals’ and health systems’ network and data backups, and to ensure that multiple copies exist: offline, network segmented, on premises and in the cloud, with at least one immutable copy.
Lastly, the AHA strongly recommends that a cross-function, leadership-level cyber incident response plan be fully documented, updated and practiced. This should include emergency communications plans and systems.
The Russian invasion of Ukraine presents a grave threat to the U.S. healthcare industry, experts believe. U.S. medical organizations are highly vulnerable to sophisticated and pervasive Russian cybercrimes that can cripple the healthcare network in the country.
To sum up, the U.S. healthcare security and IT leaders must prepare for retaliatory cyber attacks that could disrupt medical services. It is their responsibility to protect their patients’ data. They must build a security mindset in their employees, train their staff (securetreasury.com), adopt the AHA and CISA cybersecurity advisories seriously and reinforce their defence capabilities. It is time to be on high alert.
Like this item? Get our Weekly Update newsletter. Subscribe today