As Russia invades Ukraine, hospitals must be more wary of cyberthreats

Federal officials and industry leaders have warned healthcare organizations they could see more cyberattacks.

Hospitals and healthcare organizations have been prime targets of cyberattacks for years, and Russia’s invasion of Ukraine has prompted federal officials to warn of the possibility of more threats.

The U.S. Cybersecurity & Infrastructure Security Agency, the federal cyberdefense agency, has issued a “Shields Up” warning for all organizations. The agency advises businesses and organizations to make sure their software is up to date and that information technology departments are watching for any breeches.

The American Hospital Association says it is closely watching for any increased possibility of cyberattacks or threats stemming from Russia’s invasion of Ukraine. John Riggi, the AHA’s national advisor for cybersecurity and risk, is in close contact with federal officials regarding potential threats to U.S. healthcare, the association said.

The AHA said it’s concerned that Russian-backed cyberattackers may target hospitals and health systems directly. Hospitals could also become collateral damage of malware deployed by Russia that could breach U.S. healthcare systems, even inadvertently.

Hospitals could also be hurt by disruptions affecting their essential service providers, the AHA said.

“AHA’s concerns are heightened by the Russian military’s previous behavior of utilizing cyber weapons in support of military actions against Ukraine; such behavior ultimately inflicted disruptive collateral damage to the U.S. health care system, resulting in the U.S. government’s 2020 indictment of six Russian military intelligence officers for the development and deployment of the destructive NotPetya malware three years prior,” the association posted on its website.

In that case, the malware was first launched against Ukraine, but it spread globally, disrupting operations at American hospitals and a major U.S. pharmaceutical company, the U.S. Department of Justice said. The malware impaired critical medical services at a healthcare system based in western Pennsylvania, federal officials said.

Anura Fernando, global head of medical device security at UL, told Chief Healthcare Executive in a recent interview that companies, including healthcare organizations, should be doing what they can to bolster their defenses in light of recent events. When international tensions rise, some opportunistic groups often try to take advantage, he said.

“Healthcare has to be just as much on the watch as any other companies or entity,” Fernando said.

In February, the U.S. Department of Health and Human Services issued an advisory reminding that electronic medical records could be vulnerable to hacking. If criminals gained access to medical records, they could conceivably get patients' names, Social Security numbers, photos, fingerprints and other private information.

Also in February, federal authorities warned healthcare organizations about the Lockbit cybercrime gang. The FBI said the organization offers ransomware as a service to other attackers looking to penetrate companies’ networks. The group typically doesn’t target healthcare groups but authorities have said ransomware is a major threat to the healthcare industry.

Hundreds of breaches involving hospitals and healthcare systems were reported to the federal government in 2021, and some analysts said this year could be worse. The cost of the average healthcare breach rose to $9.4 million in 2021, an increase of $2 million over the previous year, according to a report by IBM.

In its 2021 cybersecurity survey, The Healthcare Information and Management Systems Society (HIMSS) found two-third of healthcare cybersecurity professionals reported significant incidents in 2021. Most of those surveyed said their organizations were spending more on cybersecurity, but some participants said the resources aren’t sufficient.

CISA also offers the private sector a number of free cybersecurity services and tools.