Hospitals face unique challenges in keeping their systems secure. Any cyberattack could force a facility to shut down operations, delay elective procedures, and put patients at risk.
Ransomware attacks can enter a system through simple pathways like phishing emails. More sophisticated malware variants like Fusob and crypto-ransomware encrypt files rather than locking a device.
The Biden administration is looking to introduce a new policy that requires hospitals to implement digital security to secure funding.
Ransomware is a form of malware that locks victims out of their computers or files, most commonly by encrypting them until they pay a ransom. It has been around for decades, with the first known attack being launched in 1989 when Joseph L. Popp, a Harvard-educated biologist and self-proclaimed “father of ransomware,” sent infected floppy disks to attendees at an AIDS conference. The disks contained malware that encrypted their system upon insertion into the victim’s computer and demanded payment of $189 to a P.O. box in Panama.
Today’s crypto-ransomware typically encrypts databases, web, office, video, image, script, text, and virtual desktop files. It also deletes backup files to prevent their restoration and demands a fee for the decryption key. Cybercriminals are constantly enhancing their attacks, and in the future, they may evolve them into malware that disables entire infrastructures or ecosystems.
Regulated industries need to evaluate and update their breach notification regulations to ensure continued improvements in cyber security. For example, the HIPAA (Health Insurance Portability and Accountability Act) privacy rule requires a covered entity to notify impacted patients and the federal government of a data breach. But, because modern ransomware attacks are encroaching on breach territory, the definition of a data breach needs to be reevaluated to include a ransomware attack.
New York State is preparing to roll out $500 million in hospital cybersecurity funding.
Earlier this month, New York Governor Kathy Hochul announced that the state is preparing to roll out $500 million in cybersecurity funding for hospitals to help them protect their systems from cyberattacks. The money will be available to hospitals across the state. It will help them obtain better cybersecurity tools and upgrade their electronic medical records and other technologies. Hochul’s announcement comes as more and more healthcare organizations have been hit by cyberattacks this year. A recent report from the Department of Health and Human Services showed that more than 88 million people have been affected by significant data breaches in the first half of 2023 alone.
The new funding will support new rules that the state plans to introduce, requiring all hospitals in New York to implement various security measures. These measures include a requirement for hospitals to have a chief information security officer, a requirement for hospitals to conduct tests of their incident response plans, and a requirement for hospitals to use multi-factor authentication. The state is also planning to create a “New York Hospital Cybersecurity Roundtable” that will serve as a think tank for hospitals in the state.
While these new requirements may seem like a significant burden on hospitals, they are vital in addressing the growing threat of cyberattacks against healthcare facilities. These attacks can have far-reaching effects, causing patient diversions, procedure cancellations, and requiring hospitals to switch from electronic to paper records. These new regulations and the accompanying funding are meant to help hospitals defend themselves against these threats, which is why it’s so essential for them to implement these measures as quickly as possible. Mike Hamilton, CISO of cybersecurity firm Critical Insight, told FierceHealthcare that the move by New York is likely to be replicated in other states. He expects more states to introduce similar laws requiring hospitals to meet specific standards for cybersecurity.
The Department of Health and Human Services (HHS) is releasing a report on cyberattacks on hospitals.
The Department of Health and Human Services (HHS) is looking to take a range of voluntary and potentially mandatory actions to address cyberattacks on hospitals better. The agency published a planning document on Wednesday that outlines several new initiatives and seeks feedback. One of the most exciting proposals includes pushing new cybersecurity requirements for hospitals through Medicare and Medicaid programs, ostensibly linking federal payments to baseline standards.
The plan acknowledges the growing prevalence of cyberattacks on healthcare organizations and notes that the sector has seen a 93% increase in significant data breaches from 2021 to 2022. It also points out that healthcare facilities are particularly vulnerable to ransomware attacks, which can wreak havoc and threaten patient safety. HHS wants to collaborate with Congress on developing new authority and funding for healthcare organizations to invest in their cybersecurity. It’s also seeking to push for more financial penalties for those who don’t comply with the HIPAA data security rules.
One of the most pressing threats to healthcare systems is ransomware, which has forced dozens of hospitals to shut down or disrupt services in recent months. For example, a hacker recently demanded a ransom of $50,000 from the Murfreesboro Medical Clinic & SurgiCenter in Tennessee, leaving staff to share orders and lab information with runners and handwritten note cards. It forced the hospital to reschedule non-emergent procedures and divert ambulances.
According to the American Hospital Association, another threat comes from the need for cybersecurity expertise at many smaller healthcare providers. Last Thanksgiving, a ransomware attack on the Ardent Health system, which operates 30 hospitals in six states, forced several of the firm’s facilities to reschedule surgeries and divert patients. A lack of resources and a tendency to prioritize patients over technology have left some smaller hospitals unprepared for the risk of a cyberattack.