Health sector should be worried about Russian cyberattacks

The threat is real, says Heath Renfrow, chief information security officer at Conversant Group. Healthcare organizations generally aren’t where they need to be when it comes to cybersecurity.

Federal authorities have warned healthcare organizations to be on guard for the possibility of cyberattacks in light of Russia’s invasion of Ukraine.

Heath Renfrow says hospitals and health systems have good reason to worry. Renfrow is the chief information security officer for Conversant Group, an information technology infrastructure and security consulting company based in Chattanooga, Tenn., and co-founder of FENIX24, a disaster recovery firm. Renfrow also served as the first chief information security officer for U.S. Army Healthcare.

Healthcare organizations should brace for the possibility of Russia launching cyberattacks at critical infrastructure systems, including the health sector.

The U.S. government earlier this month said it shut down dangerous malware that could have been used to launch Russia cyberattacks, The New York Times and other media reported. President Biden has urged the business sector to strengthen its defenses to protect its systems due to the possibility of attacks launched from Russia.

“The threat is real,” Renfrow said in a recent interview with Chief Healthcare Executive.

Russia President Vladimir Putin has railed against the U.S. and NATO supporting Ukraine’s defense of it’s country. Renfrow said Russian-based cyberattacks are possible, if not likely.

“Russia is going to retaliate,” he said.

“I’m very worried about nation-state threat actors,” he said, adding. ‘The revenge factor on us could be tremendous.”

“I am more concerned about threats of nation-state actors at this moment than ransomware attacks,” Renfrow said.

He also said it’s possible Russian-based ransomware gangs may go after U.S. healthcare systems. Countries such as Iran and North Korea could also launch attacks, he said.

Most aren’t prepared

To be sure, healthcare organizations have plenty to be worried about in terms of ransomware attacks.

Last week, the U.S. Department of Health and Human Services advised healthcare providers about the Hive ransomware group, a relatively new group that has targeted the healthcare sector. Authorities groups also issued a similar warning earlier this year about the Lockbit ransomware group.

More than 100 breaches involving patient records have been reported to the U.S.  health department since the beginning of the year. Some attacks involve the practice of “double extortion,” where attackers breach a healthcare system, steal data and then threaten to release it unless they are paid.

The average healthcare breach cost more than $9 million in 2021, a $2 million increase over the previous year, according to a report from IBM.

Nearly 45 million Americans were impacted by breaches involving private health information in 2021, up from 34 million in 2020, according to a report by Critical Insight, a cybersecurity company. Millions of American have already been affected by breaches reported this year.

Hospitals make tempting targets for ransomware groups, Renfrow said. “They know healthcare is probably going to pay the ransom because of the mission they serve,” he said.

“Most healthcare organizations are not prepared for ransomware. They could lose years and years of data,” he said.

Experts say breaches are especially disruptive to healthcare, partly because they usually aren’t discovered for months. And healthcare systems and hospitals treat patients around the clock and need access to their electronic health records.

When it comes to cybersecurity, the healthcare industry is “nowhere near where it needs to be,” Renfrow said.

“Historically, healthcare organizations have not invested in IT infrastructure,” he said.

Other cybersecurity experts have made similar assessments regarding the healthcare system. Lee Kim, director of privacy and security at the Healthcare Information and Management Systems Society (HIMSS), said too many health systems haven’t employed basic defenses.

“We don’t have everyone implementing anti-virus across the board,” Kim said at the HIMSS Global Health conference in March. “We don't have nearly enough encryption.”

Top leaders must step up

Some experts say health organizations need to do a better job training staff to avoid opening suspicious emails or clicking unfamiliar links.

Renfrow said those are sensible steps, but he also said workers are getting a bad rap. It’s up to healthcare leaders to put in better defenses, he said.

“There’s a lot of blame that goes to users,” Renfrow said. “I don’t believe that’s the right approach.”

If hospitals have the proper cybersecurity defenses in place, Renfrow said, “A user making a mistake in being phished should not be devastating to your environment.”

Ultimately, healthcare leaders have to make cybersecurity a priority and they need to be heavily involved.

“You’re going to have to invest in this. You need to manage this from the top,” Renfrow said.

While chief information security officers play a key role, leaders can’t just delegate cybersecurity to them and be divorced from it. “The responsibility is at the executive level,” he said.

When health systems are hit by a ransomware attack, Renfrow said, it tends to be a wakeup call for executives. “It gets the executives' attention and they throw money at the issue,” he said.

Some hospital systems spend money on cybersecurity defenses without the personnel or expertise to utilize them properly, he said.

Leaders of smaller systems in particular should consider partnering with a cybersecurity firm, Renfrow said. Small systems with modest budgets for cybersecurity probably can’t afford the infrastructure or the personnel with cybersecurity experience, who can command high salaries because they are in great demand.

Renfrow offered one more compelling reason for healthcare executives to get more involved in cybersecurity. Regulators will hold executives accountable if patient records are exposed in a breach and it turns out the system didn’t have sufficient safeguards or privacy policies in place.

“Only a senior executive can accept the risk,” he said.

More from Chief Healthcare Executive

How hospitals can improve cybersecurity: Tips, training and tough love

How a rural health system improved its cybersecurity

Why medical practices need to guard against cyberattacks