As Hospitals Struggle With Cyberattacks, Feds Call for Tougher Defenses

With ransomware attacks rising, the Biden administration has ordered federal agencies to bolster their cybersecurity systems and to address vulnerabilities. Although the order is aimed at federal agencies, the Biden administration is also making it clear that key elements of the private sector, such as hospitals and health care systems, must strengthen their defenses.

The Cybersecurity and Infrastructure Security Agency issued the order Wednesday directing federal agencies to address weaknesses identified within the past year in the next two weeks. Federal agencies have 60 days to address older threats. The agency noted the growing threat of attacks against critical infrastructure systems, including hospitals.

The federal government is also offering what could be a valuable tool to the private sector: a catalog of known vulnerabilities for cyberattacks. The catalog, which is being made publicly available for the first time, will be regularly updated as new weaknesses are identified. It includes vulnerabilities found in products by Apple, Google, Microsoft and other heavyweights.

In 2020, more than 18,000 cybersecurity vulnerabilities were identified, according to CISA. In addition, more than 10,000 of those vulnerabilities — about 28 per day — were designated as “critical” or “high severity”, the agency noted.

The healthcare sector has seen a spike in attacks on its critical systems.

For hospitals, cybersecurity attacks can threaten the safety of patients, experts say. In Germany, prosecutors argued that a ransomware attack contributed to the death of a woman when an ambulance crew was incorrectly told a hospital wasn’t accepting patients and the crew had to go to another facility, Wired reported.

Earlier this year, the ​​U.S. Healthcare and Public Health Sector Coordinating Council urged the Biden administration to help bolster cybersecurity systems at hospitals. In a June letter to Biden and top lawmakers, the council said there was a 55% increase in cyber incidents aimed at the health care sector in 2020.

“The healthcare sector, despite making progress over the past several years, has struggled to keep up with the onslaught of cyber threats without enhanced federal programs and engagement,” the council wrote in the letter. “We are particularly concerned that lesser resourced organizations, such as small and medium sized healthcare providers and critical access hospitals, continue to fall further behind.”

In 2020, a Healthcare Information and Management Systems Society (HIMSS)survey found that most hospitals had dealt some kind of cybersecurity threats. Most (70%) of the cybersecurity professionals surveyed reported serious security incidents within the previous year. Of those incidents, 20% involved ransomware or malware.

Most (61%) of the respondents indicated that the cyberattack disrupted of nonemergency clinical care, but a significant minority (28%) reported a disruption of emergency services. About 1 in 5 (17%) of the respondents said some elective surgeries had to be canceled.

Robert Cattanach

Typically, hospitals allocate 6% of their information technology budgets toward their cybersecurity, according to the HIMSS report. The report acknowledges hospitals have faced new financial challenges due to the COVID-19 pandemic.

Robert Cattanach, an attorney who has advised companies on ransomware issues, said the federal government’s move to publish a catalog of known vulnerabilities could be a significant asset to companies aiming to shore up their defenses. Most companies lack the resources to track all the weaknesses, he said.

“Knowing which vulnerabilities are currently being exploited by cybercriminals allows the private sector to leverage CISA’s expertise to operate on a more level playing field and should be an important tool in the never-ending fight against cybercriminals," he said in a statement.