In response to high-profile ransomware attacks targeting U.S. meat and oil and gas industries, the White House last week published an open letter urging leaders of U.S. companies to take “immediate steps” to stave off potential cyberattacks.
This call to action should be no surprise to health care leaders. Health care organizations have already been targeted by major ransomware attacks. A recent Comparitech analysis found more than 600 health care organizations, including individual clinics and hospitals, were impacted by 92 ransomware attacks in 2020, and those attacks affected 18 million patient records.
Similarly, a January report from Emsisoft found 560 health care provider facilities were targeted by ransomware attacks in 2020—and some of those attacks had real implications for patient care. According to the Emsisoft data, many of the attacks caused EHRs to go offline, and some led to care disruptions such as ambulance diversions and delayed lab test results.
Just last month, the FBI issued an alert warning health care providers and first responder networks of Conti ransomware attacks, which deliver a malicious computer code to lock up files, servers, and workstations on a given network and demand a ransom to restore access.
White House outlines 6 steps to protect your organization
The message from the White House is clear: Make cybersecurity a top priority. They outlined six fundamental security measures organizations in all industries should take:
- Invest in the right technology to reduce the risk of a successful ransomware attack, such as encryption, endpoint detection and response, multifactor identification, and having a skilled cybersecurity team.
- Back up files and store them on a separate network or offline.
- Ensure security systems are up to date.
- Develop and test an incident response plan.
- Hire a third-party expert to test your security system.
- Segment your networks to reduce the risk of compromising the entire system.
3 ways to go beyond the fundamentals to protect your organization
The measures outlined by the White House apply to all industries, but health care leaders need to go beyond the fundamentals. Health care has become one of the most targeted industries for ransomware attacks due to the sensitive nature of patient data (which makes the information more valuable to hackers), the industry’s relatively immature security posture, and the fact that health systems are likely to pay ransoms to get their systems back online, since any downtime can directly impact patients and even lead to death. Unfortunately, security breaches increased during the height of the pandemic, as hackers saw an opportunity to take advantage of health care providers while they were busy responding to Covid-19.
Here are three additional measures for health care leaders to keep in mind that build upon the White House's guidelines:
1. Adopt a comprehensive security program. A strong security program should have appropriate governance and accountability, dedicated resources (security committee, security operations center, etc.), and a designated chief information security officer.
2. Make cybersecurity a financial priority. The percentage of IT budgets that are allocated to cybersecurity vary across health care organizations. But executives should ensure that funding remains consistent from year to year and reflects the fact that security is an operational priority.
3. Invest heavily in staff training. Build a “human firewall” through frequent, real-world staff training, including personalized training for the C-suite and board members. Cyber incidents affect the entire enterprise, so executives across all functions must effectively manage cyber risk and promote a security-focused culture.
Events of the past few years have magnified the interest, attention, and funding provider organizations must dedicate to cybersecurity resiliency. To learn more about how to become a cyber-resilient organization, visit our Cybersecurity Resource Library.
