As ransomware attacks continue to pummel the U.S. health care sector, costing hospitals millions of dollars and exposing patient’s sensitive medical records, rural hospitals are in dire need of assistance from the federal government, experts said Thursday during a Senate hearing.
Witnesses at the Senate Homeland Security and Governmental Affairs Committee told lawmakers that while there is a plethora of information doled out by private industry groups and federal government agencies such as the Cybersecurity and Infrastructure Security Agency, the issue is for smaller hospitals to find resources such as cybersecurity-focused employees to apply them in an actionable way.
Ransomware attacks against U.S. hospitals and health care organizations are becoming increasingly common with headlines occurring seemingly every day and stories about hackers selling health records on the dark web. In 2022, at least 25 ransomware attacks against healthcare providers impacted up to 290 hospitals, according to cybersecurity firm Emsisoft.
On Monday, a Pennsylvania cancer patient sued the health care provider for negligence after the criminal ransomware gang AlphV/BlackCat posted her nude photos online — an aggressive tactic that signals ransomware operators are becoming more brazen in their efforts to convince victims to pay up. And many are. U.S. and South Korean officials warned in February that North Korea is using profits from ransomware attacks against hospitals to fund their own cyber operations.
“In recent years, increasingly sophisticated cyberattacks in the healthcare and public health sectors posed alarming threats to people in Michigan, as well as across the country,” said Chairman Gary Peters, D-Mich.
Last year saw the passage of both cyber breach notification law that requires critical infrastructure including the health care sector to notify CISA of significant incidents as well as requiring the Food and Drug Administration to oversee cybersecurity for medical devices.
Kate Pierce, senior virtual information security officer at cybersecurity firm Fortified Health Security, advocated for establishing minimum cybersecurity laws for the health care sector that are “reasonable, achievable, and continually evolving” alongside more funding for rural hospitals that have little in terms of resources to defend themselves against hackers.
“We also saw cybercriminals shift their focus to small and rural hospitals with this group lagging behind in strengthening their defenses,” said Pierce. “Our rural hospitals are facing unprecedented budget constraints with up to 30% or more in the red, with the public health emergency scheduled to end in May.”
Greg Garcia, executive director for cyber security at the Healthcare and Public Health Sector Coordinating Council, noted that the health care sector is also undergoing a long list of changes that complicate hospitals trying to safeguard their networks. “Consider that health care innovation is going direct to the consumer to wearable and home medical technology and tele-medicine,” said Garcia. “This expands the so-called attack surface for connected technology outside the clinical environment which is harder for hospitals to secure remotely with patients.”
An increasing number of mergers and acquisitions in the healthcare sector means that organizations are trying to integrate incompatible systems with different suppliers that increase the complexity of protecting those systems, Garcia said. Additionally, the health care industry is also moving to cloud service providers that outsource clinical data management and software, which also increases the overall impact of a single cyberattack, he noted.
During a ransomware attack, hospitals often can’t schedule appointments, perform procedures or surgeries. Additionally, they must switch to a paper-based environment that slows down the delivery of care, Garcia said. While there’s a “glut of information security best practices out there, we need to pick one because there is a lot of confusion,” he noted, stressing that everyone who works in a hospital now needs to think about cybersecurity as a key part of their job.