Amid mounting tension between Russia and Ukraine, federal officials are warning U.S. organizations—including health systems—of an increased potential of cyberattacks that could significantly damage critical infrastructure.
Hospitals are often vulnerable to cyberattacks
Hospitals are increasingly becoming targets of cyberattacks, which often disrupt operations and potentially put patients at risk. For example, a ransomware attack at Springhill Medical Center in 2019 shut down the hospital's network for three weeks. A pregnant patient later sued the hospital for medical malpractice, claiming the attack caused staff to miss concerning signs that ultimately led to her child's death.
Since the pandemic, the risk of cyberattacks has grown as hacking groups take advantage of overtaxed and short-staffed hospitals caring for Covid-19 patients.
Heather Hughes, director of client engagement and solutions at cyber insurer Resilience, said she has seen "threat actors take advantage of Covid for ransomware attacks because hospitals were short-staffed, everyone was stressed, the hospitals' census population is super high."
Hughes added that hospitals' increased use of staffing agencies has led to an ideal environment for security breaches since contract workers are not usually familiar with an organization's internal electronic system. "When they go to log in, for example, for their first shift, it's 'Click this link for your time card,'" she said. "They may click that link. Now they've introduced ransomware."
Federal officials, health organizations warn of increased cyberattack risks
With international tensions rising between Ukraine and Russia, federal agencies, as well as health organizations, have issued alerts about potential Russian cyberattacks in the near future. Previously, Russian malware deployed against Ukraine spread globally and caused widespread damage to critical infrastructure in the United States, including a major pharmaceutical company, a health care communications company, and many hospitals.
The Cybersecurity and Infrastructure Security Agency (CISA) recently issued a "Shields Up" alert for U.S. organizations about cyber threats from Russia. In the alert, CISA recommended that all U.S. organizations, regardless of size, "adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets."
What happens when hackers target your hospital? Sky Lakes Medical Center and Asante are sharing their biggest lessons learned.
Similarly, the American Hospital Association (AHA) and the Health-Information Sharing and Analysis Center last month issued a joint advisory recommending organizations identify and consider blocking any direct or third-party business associates and email contacts based in Ukraine and the surrounding region.
In addition, the FBI and National Security agency last month released recommendations for health care and other critical infrastructure organizations to help prevent, detect, and respond to common Russian cyber threats.
How to reduce the risk of cyberattacks
Both CISA and AHA have outlined several steps for U.S. organizations to minimize the risk and potential impact of cyberattacks.
1. Reduce the risk of a damaging attack
To do this, CISA recommends organizations require multi-factor authentication for all remote access to their networks, as well as privileged or administrative access. All software should be up to date, and updates that address known exploited vulnerabilities should be prioritized.
IT personnel should also ensure all non-essential ports and protocols are disabled and implement strong controls if cloud services are used.
2. Ensure potential attacks are quickly detected
CISA recommends that IT personnel confirm an organization's network is protected by antivirus and antimalware software. They should also focus on identifying and quickly assessing any unusual or unexpected network activity
If an organization conducts business with Ukrainian organizations, IT personnel should closely monitor and inspect traffic from these organizations, as well as review any access controls. In addition, AHA suggests organizations geo-fence all inbound and outbound traffic from Ukraine and the surrounding region to mitigate potential direct cyber risks.
3. Be prepared to respond if an attack occurs
To prepare for an attack, a main crisis response team should be designated, with different members taking charge of technology, communications, legal issues, and business continuity. Organizations should also conduct an exercise with all team members to ensure they all understand their roles during a potential attack.
According to AHA, it is "critical that a cross-function, leadership-level cyber incident response plan be fully documented, updated and practiced. This should include emergency communications plans and systems."
4. Ensure critical operations and data will still function during an attack
AHA recommends organizations identify all "mission-critical clinical and operational services and technology" and develop "four-to-six week business continuity plans and well-practice downtime procedures in the event those services or technologies are disrupted by a cyberattack."
According to CISA, organizations should test backup procedures to make sure critical data can be quickly restored if they're affected by a cyberattack. Backup data should also be isolated from network connections. In addition, organizations should test manual controls of their operational technology to make sure critical functions are still operable even if their networks are down or compromised. (AHA News, 2/1; CISA cybersecurity guidance, 1/18; Dress, The Hill, 2/12; Magnoli/Sawyer, CBS 12, 2/16; Reed, Axios, 2/18)