Government should go on offense against healthcare cyberattacks, says AHA

The American Hospital Association is calling for greater federal support for victims of cyberterrorism to help get hospitals back online quickly. It also advises hospitals to coordinate cyber response with their regional emergency planning efforts.
By Andrea Fox
10:47 AM

Photo: RODNAE Productions/Pexels

To support the healthcare sector on the front lines of cyberterrorism, the American Hospital Association has been actively informing and responding to federal lawmakers on ways to coordinate and bolster cybersecurity preparedness across healthcare.

The AHA calls for strengthening federal leadership, revisiting medical device security vulnerabilities and the creation of support mechanisms, like funding to expand the U.S. Department of Health and Human Services 405(d) program and establish a reinsurance program that supports victims, similar to commercial victims that face terrorism risks. 

The hospital organization offered detailed feedback, section by section, on the Cybersecurity is Patient Safety policy paper by Senator Mark Warner, D-Va., which was released last month.

While hospitals and health systems have prioritized patient safety and defending their networks from cyberattacks, and have made great strides in adherence to NIST and HICP, according to AHA's letter, government support for a worsening climate is needed. 

In its recommendations, the organization cited the financially strained and resource-limited hospitals nationwide that are struggling to manage a considerable workflow stemming from medical devices and digital programs required for patient care and operations while under continuous cyber hacking attempts.

"They need support from the federal government as the field continues to face targets from sophisticated cyber adversaries and nation-states," wrote Stacey Hughes, executive vice president of government relations and public policy for AHA.

Supporting healthcare victims of cyberterrorism

"The government has done a good job with information sharing in the past several years," said John Riggi, national advisor for cybersecurity and risk for AHA.

"We've definitely come a long way, both sharing technical information and strategic information," he said, but emphasized the need for more real-time insights.

Riggi, who previously spent 28 years with the FBI focused on financial crimes, counterterrorism and cyber – with two of those years spent supporting the Central Intelligence Agency's counterterrorism center – spoke with Healthcare IT News about how hostile nation-states harbor bad actors and initiate cyberattacks on health systems.

Those nation-states, Russia, China, Iran and North Korea, support and often leverage criminal cyber gangs for their own purposes, whether it's stealing intelligence or causing disruption, he said.

"Defending against these types of attacks is a critical public health and safety issue that should not be solely shouldered by private-sector organizations given the impact on national security," Hughes wrote on behalf of AHA in its response to Senator Warner.

While AHA affirmed support for HHS as the appropriate sector risk management agency as well as maintaining the 405(d) program created under the Cybersecurity Act of 2015, Riggi said there is still a lot to be done to increase the capacity of the government to share real-time automated threat indicators. 

"We can only do so much on defense when foreign-based adversaries sheltered by hostile nation-states attack us. The other half of this equation is a robust offense by the U.S. government to go after these folks," Riggi said.

Expediting recovery from attack is critical to patient safety

In its letter, AHA encourages the federal government to consider a number of additional ways to provide guidance and support to those experiencing cyberattacks during the recovery portion of an attack, "such as the support provided victims of terrorist attacks," Hughes suggested in the letter.

Healthcare cyberattacks are threat-to-life crimes that the FBI investigates – and not financial crimes, Riggi said. Clarification: "The FBI has raised the investigative and response priority of high-impact ransomware attacks against hospitals, which disrupt and delay healthcare delivery," he wrote.

When a hospital is shut down by ransomware or the discovery of malware, in some cases neighboring hospitals are overrun. Tremendous strain is put on hospitals and healthcare systems regionally as they absorb diverted patients.

The Cybersecurity and Infrastructure Security Agency was able to correlate hospital strain with excess deaths, Riggi noted. 

He says health systems must figure out how to work with surrounding hospitals and services, but expediting recovery when an attack occurs has become a critical area of concern.

One example is the cyber risk of life-critical third parties, like equipment used in radiation oncology – which, when disrupted, could lead to patient deaths. 

When Elekta, a cloud-based software provider that runs linear accelerators present in 170 health systems experienced a ransomware attack, the end result was that many cancer patients had to wait up to three weeks for treatment. The Swedish company faces a class-action lawsuit for data theft, which also alleges canceled or rescheduled radiation treatments, filed on behalf of a former patient of Northwestern Memorial HealthCare.

If you're a third-party mission-critical provider, and you've been hit, Riggi said he asks, "What's the plan?" 

"You are going to have to make a battlefield call without all the facts, under duress, under time constraints, in the face of an adversary who will change course based on what you do," he said.

For hospital cyber incidents, a provider's incident-response plan must go beyond protecting its electronic health records. It must consider downtime for all life-critical, mission-critical and business-critical functions, Riggi said. 

"And we need to plan regionally for highly disruptive ransomware attacks that will have a regional impact. We have seen it over and over," he said.

He said incident-response plans cannot be developed in a silo separate from emergency-response planning for hurricanes, tornadoes, mass casualty and other emergencies.

When hospitals and health systems are rebuilding their systems and re-establishing system connections, they often encounter myriad requirements from outside vendors, Hughes said in the healthcare cybersecurity policy response letter to Warner.

"These requirements can delay the recovery process unnecessarily. Guidance by the federal government on mitigation procedures and protocols for safe reconnection with victims of attacks will expedite recovery and bring hospitals back online more efficiently," she said.

Mitigating and paying for third-party risk

Cybercriminals are good at exploiting third-party access and gaining access to protected data aggregated by third-party business partners, such as billing and coding, lab, and payroll, Riggi explained.

While healthcare entities are focused on securing protected health information, personally identifiable information and payment information within their own networks, parts of these organizations are sharing bulk data with far less secure third-party business partners, he said.

"The cyber adversaries have mapped our sector. They have figured out where the key strategic nodes are – those mission-critical third parties that have either access to bulk data, or they themselves have aggregated it," he said.

Some examples he cited include OneTouchPoint, which does printing and mailing of patient information, and Blackbaud, a donor management company.

If they hack one mission-critical vendor, they could get access to the data for hundreds of hospitals, Riggi said. "I call it one-stop hacking."

He explained that cybercriminals will also use the electronic pathways from third parties as conduits to get into healthcare networks.

"They map our networks, they figure out where all the connections are, and they start probing: Where is the weak point? Where is the vulnerability that they can use to access to get in?" he said.

The healthcare sector spends billions to secure technology, but when a hack happens, the victims may be viewed as negligent or treated as a perpetrator, Riggi added.

Referring to the "necessary and appropriate use" and integration of technologies to foster interoperability to improve patient care and manage required operations has created "the unintended consequence of significant" cyber risk exposures, he said, "that we are now footing the bill for."

This article was updated on December 15 to clarify and enhance Riggi's insights.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.