‘Rolling disaster’: Cyberattacks on hospitals cause problems for months

John Riggi says there’s no such thing as an impenetrable defense when it comes to cybersecurity.

John Riggi, the American Hospital Association's national advisor for cybersecurity and risk

“No organization is ever 100% secure,” he says.

Nonetheless, Riggi, the American Hospital Associaton’s national adviser for cybersecurity and risk, said hospitals can take meaningful steps to minimize the risk of breaches and protect their networks, their data and their patients.

Riggi, a former senior executive in the FBI’s cyber division, outlined some of the ways hospitals can improve their security in a recent interview with Chief Healthcare Executive.

“The leadership has to make it a priority,” Riggi stressed. This is true for large healthcare organizations and small hospitals, he said.

Hospital leaders also must convince staff to see cybersecurity in the context of protecting patients. A breach could mean diverting ambulances from the emergency department to other facilities. If cyberattacks block access to electronic medical records, healthcare systems could be postponing surgeries or delaying other forms of treatment.

“Cyber hygiene is as important as medical hygiene to protect the patient,” Riggi said.

• Read more from our series on cybersecurity
• Cybersecurity and patient safety: Why it needs more attention
• Why smaller hospitals are targets for cyberattacks

‘Massive attacks’

Hundreds of healthcare organizations have been hit with cyberattacks, and many have come while hospitals have been battling the COVID-19 pandemic.

“We have sustained massive attacks during the pandemic,” Riggi said. “We’ve witnessed these high-impact, highly disruptive attacks.”

• The 10 biggest cyberattacks in healthcare in the 1st quarter of 2022

Hospitals are seeing different types of cyberattacks and different types of ransomware attacks, Riggi said.

“A ransomware attack on a hospital is a rolling disaster,” Riggi said. “The immediate impact may not be seen.”

First, vulnerabilities have to be identified and closed. And restoring systems “is not like flipping a switch,” Riggi said. It’s a laborious, painstaking process.

“It's a minimum 3-4 weeks just to restore mission critical technologies,” Riggi said.

Hospital leaders have to ensure their organizations have strong business continuity plans and downtime procedures, Riggi stressed.

In light of the Russian invasion of Ukraine, Riggi is urging hospitals to do everything possible to strengthen the security of their networks. Last month, President Joe Biden urged private sector companies to shore up their defenses “based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks.”

Healthcare organizations should be blocking emails or traffic from Russia, along with other nations such as China, North Korea and Iran, Riggi said. Many have heeded the warnings issued by federal authorities.

“Folks have absolutely taken this seriously,” Riggi said.

Russian-affiliated hackers planned to attack and cripple hundreds of U.S. hospitals in 2020, The Wall Street Journal reported last month.

Even if Russia or Russian-affiliated actors don’t target U.S. hospitals, any cyberattacks launched at Ukraine could lead to malware finding its way to U.S. institutions, including hospitals, Riggi said.

“We’re most concerned about the collateral damage effect,” Riggi said.

Vendors bring risks

Healthcare organizations are increasingly facing another threat: cyberattacks on vendors or other companies they rely on for essential services.

Those partners can represent “a huge area of risk,” Riggi said.

Hospitals and other companies were reeling when a cyberattack hit the Ultimate Kronos Group, which operates the Kronos workforce management software used by many businesses. Employees across the country reported paychecks that were short, and companies have dealt with headaches for weeks after the attack, NPR reported.

“Folks didn’t realize how much they depended on Kronos for payroll, scheduling, timing,” Riggi said. Disrupted schedules may have affected patient care, he added.

Healthcare organizations must ensure third parties have sufficient cybersecurity, Riggi said. If health systems are negotiating new contracts with vendors, they should be asking about their cybersecurity protection.

Hospitals need to be using multi-factor authentication to reduce the risk of a breach, Riggi said. With this safeguard, employees need to do more than enter a password to get into a system. They have to take another step, such as entering a code they receive in a text message.

Health organizations also need multiple, highly secure backups of data, including one copy that is unchangeable, he said. Emails coming from outside the organization should be labeled as external messages.

Ultimately, hospitals must take stock of their cybersecurity capabilities. If they don’t have the technical capabilities needed to defend attacks, they should outsource some of those functions, Riggi said.

Many hospitals are taking appropriate steps to protect themselves, but some organizations remain “underprepared,” Riggi said.

While he stressed hospitals should do everything they can to protect themselves, Riggi said the federal government must step in to offer funding and assistance, especially as the government is pushing healthcare organizations to share more data freely.

“They need to help us manage the cyber risk,” Riggi said. “We would advocate funding with these requirements to mitigate the cyber risk.”

Coming tomorrow: Cybersecurity experts offer advice to minimize risks of a breach and bounce back when an attack happens

More from our series on cybersecurity

Cybersecurity measures advance in Washington

How a rural health system improved its cybersecurity