To support the healthcare sector on the front lines against cyberterrorism, the American Hospital Association has been actively communicating and responding to federal lawmakers on ways to coordinate and increase preparedness. for cybersecurity in the healthcare sector.
The AHA calls for strengthening federal leadership, reviewing medical device security vulnerabilities, and creating support mechanisms, such as funding to expand the Department’s 405(d) program. U.S. Health and Human Services and establish a reinsurance program to assist victims, similar to commercial victims facing a terrorist threat.
The hospital organization provided a detailed, piecemeal response to Senator Mark Warner, D-Va.’s Cybersecurity is Patient Safety policy, released last month.
While hospitals and health systems have prioritized patient safety and protected their networks from cyberattacks and have made great strides in NIST and HICP compliance, according to the letter. of the AHA, government support for the worsening climate is needed.
In its recommendations, the organization cited financially constrained and under-resourced hospitals across the country that were struggling to manage a substantial workflow rooted in medical devices. medical and digital programs required for operations and patient care during the constant threat of cyberattacks.
“They need support from the federal government as the sector continues to face targets from sophisticated cyber rivals,” wrote Stacey Hughes, executive vice president of government relations and public policy at the AHA. vi and countries”.
Supporting the health care of victims of cyber-terrorism
“The government has done a great job of sharing information over the past few years,” said John Riggi, national adviser on cybersecurity and risk for the AHA.
“We’ve certainly come a long way in terms of both technical and strategic information sharing,” he said, but stressed the need for more real-time insights.
Riggi, who previously spent 28 years with the FBI focusing on financial crimes and counter-terrorism – with two years of that spent assisting the Central Intelligence Agency’s counterterrorism center – was talk to Healthcare IT News about how hostile countries harbor bad guys and initiate cyberattacks on health systems.
“These countries support and often exploit cybercriminals for their own ends, whether it’s stealing intelligence or causing disruption,” he said.
“Protecting against these types of attacks is an important public health and safety issue that should not be shouldered by private sector organizations because of the impact on national security,” Hughes wrote on behalf of the government. AHA in response to Senator Warner.
While the AHA insists on supporting HHS as the appropriate industry risk management agency and upholding the 405(d) program created under the Cybersecurity Act of 2015, Riggi said there is still plenty of room for improvement. work to do to enhance government sharing. Real-time automated threat index.
“There’s only so much we can do to defend when foreign enemies sheltered by hostile nations attack us. The other half of the equation is a powerful offense of the US government to track down these people,” Riggi said.
Urgent recovery from an attack is critical to patient safety
In its letter, the AHA encouraged the federal government to consider several additional ways to provide guidance and support to people experiencing cyberattacks during recovery from an attack, “such as such as assisting victims of terrorist attacks,” Hughes suggested in the letter.
Riggi said cyberattacks in the healthcare sector are life-threatening crimes the FBI investigates — not financial crimes.
When a hospital is closed due to ransomware or malware is discovered, in some cases, neighboring hospitals will be overwhelmed. Huge strain is placed on hospitals and healthcare systems in the region as they take on diverted patients.
Riggi noted that the Cybersecurity and Infrastructure Agency was able to point to hospital stress related to the excessive number of deaths.
He said that health systems must figure out how to work with surrounding hospitals and services, but speeding up the recovery process when an attack occurs has become an important area of concern. .
One example is the cyber risk of life-critical third parties, such as equipment used in radiation oncology which, when disrupted, can lead to the death of the patient.
When Elekta, a cloud-based software provider that runs linear accelerators found in 170 medical systems, experienced a ransomware attack, the end result was that many cancer patients had to wait until their next visit. three weeks for treatment. The Swedish company faces a class action lawsuit filed on behalf of a former Northwestern Memorial HealthCare patient.
Without access to Electa’s cloud, those machines wouldn’t work, says Riggi.
“You have a malignant form of cancer like glioblastoma, three weeks means the difference between life and death,” he said.
If you’re a third-party mission critical provider and you’ve been hacked, Riggi said he’ll ask, “What’s the plan?”
“You’re going to have to make a battlefield call without all of the facts, under duress, time-constrained, facing an enemy that will change course based on what’s going on,” he said. what you do”.
For hospital network incidents, a provider’s incident response plan should go beyond protecting its electronic health records. It must consider downtime for all life-critical, mission-critical and business-critical functions, Riggi said.
“And we need regional planning for highly disruptive ransomware attacks that will have a regional impact,” he said. We have seen that over and over again.”
He said incident response plans cannot be developed in a separate silo from emergency response plans for hurricanes, tornadoes, mass casualties and other emergencies.
As hospitals and health systems are rebuilding their systems and re-establishing system connections, they often encounter a flood of requests from outside providers, Hughes said in the response letter. about the healthcare cybersecurity policy to Warner,
“These requirements may unnecessarily delay recovery. Federal government guidance on mitigation procedures and protocols for securely reconnecting to victims of attacks will accelerate the recovery process and bring hospitals back online more efficiently,” she said.
Mitigate and pay for third party risk
Riggi explains: “Cybercrimins are adept at exploiting third-party access and gaining access to protected data aggregated by third-party business partners, such as payments and codes. chemistry, laboratories and payroll.
“While healthcare organizations are focused on keeping protected health information, personally identifiable information, and billing information secure within their own networks, parts of the this organization is sharing data in bulk with much less secure third-party business partners.”
“Cyber adversaries have mapped our area. They’ve figured out the locations of strategically important nodes – mission-critical third parties that have access to bulk or political data. they aggregated that data,” he said.
Some examples he cites include OneTouchPoint, a company that prints and mails patient information, and Blackbaud, a donor management company.
Riggi said if they hack a mission-critical provider, they could gain access to the data of hundreds of hospitals. “I call it a one-stop hack.”
He explained that cybercriminals will also use electronic links from third parties as conduits to infiltrate healthcare networks.
“They map our network, they figure out where all the connections are, and they start probing – where are the weak points, what are the vulnerabilities that we can use to gain access?” he say.
The healthcare sector spends billions of dollars securing technology, Riggi adds, but when a hack occurs, the victims are seen as negligent or seen as the perpetrators.
Referring to the use and integration of technologies to promote interoperability in order to improve patient care and manage essential operations created a major cyber risk, he said, “which we currently paying the bill.”
Andrea Fox is the senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a publication of HIMSS.
