The White House has issued a national strategy and authorities are going after bad actors. But federal officials are asking questions about what health systems are doing to protect themselves.
The federal government is placing greater focus on cybersecurity in healthcare, industry analysts say.
Healthcare cybersecurity experts say the government recognizes that hospitals, healthcare, and other critical infrastructure need greater support in defending against attacks. They note federal authorities are launching more effective attacks against cybercriminals, including the successful effort earlier this year to disrupt a ransomware group that targeted hospitals.
“We need the government to go on offense,” John Riggi, the American Hospital Association’s national advisor for cybersecurity, said at the HIMSS Global Health Conference in April.
“The government seems to have picked up that mantra as well and are conducting offensive cyber operations to protect infrastructure,” Riggi said.
Federal officials are increasingly concerned about ransomware attacks that have disrupted health systems, including attacks that have affected hospitals in multiple states. CommonSpirit Health suffered a ransomware attack that affected more than 100 facilities in a host of states.
At the same time, federal officials are asking more questions about what health systems are doing to defend themselves and if they are implementing sufficient protections.
“We're getting good attention and bad attention from the U.S. government,” Riggi said at the HIMSS Conference.
Some of the questions being asked include whether hospitals are using multi-factor authentication widely, he said.
“We are getting that scrutiny there,” Riggi said. “The government believes that we can do a lot more in healthcare.”
(Salwa Rafee of Accenture Security talked about cybersecurity with Chief Healthcare Executive® in this video. The story continues below.)
‘No unfunded mandates’
Riggi and other cybersecurity experts on a panel at the HIMSS Conference said they’ve seen a dip in ransomware attacks in recent months, and they said some hospitals and health systems have bolstered their defenses compared to where they were a few years ago.
However, cybersecurity experts have repeatedly said many health systems should be doing much more to protect themselves. Some ransomware groups have also targeted smaller hospitals and systems, assessing that they are easier targets with less robust defenses.
The federal government is considering imposing certain minimum requirements on cybersecurity for critical infrastructure, including healthcare, Riggi said.
In March, the White House revealed a national cybersecurity strategy, which includes language regarding minimum standards. The White House described setting performance-based standards that can adapt to evolving threats, but also included language about taking steps to reduce the burdens of compliance.
“There is a lot of talk about minimum standards for cybersecurity these days,” Adam Zoller, chief information security officer for Providence Health, said at the HIMSS Conference.
Cybersecurity experts say they see the logic in having minimum cybersecurity standards, but they are hoping that the government is also going to provide financial help in meeting those requirements.
“If in fact, there is regulation, there should be no unfunded mandates,” Riggi said.
Hospitals have struggled with severe financial difficulties during the COVID-19 pandemic, and about half off all U.S. hospitals ended 2022 with negative operating margins, according to Kaufman Hall, the healthcare consulting firm. Health systems continue to face headwinds this year as well, industry analysts say. So hospitals aren’t well positioned for meeting cybersecurity standards without some assistance, Riggi said.
In addition, the White House is sending signals that it is considering a rule barring companies from paying ransoms, Politico reported this week.
Anne Neuberger, President Biden’s deputy national security adviser for cyber and emerging technology, discussed the possibility at an event hosted by the Ransomware Task Force. She said the rule could include exemptions for healthcare organizations in order to save lives, including securing government approval to pay the ransom, Politico reported.
Cybersecurity experts say that ransomware has become more common in healthcare because criminals know many hospitals are willing to pay to get their systems back or care for patients.
Address the talent shortage
Hospitals and health systems are struggling to find cybersecurity workers, as firms outside of healthcare typically pay higher salaries, experts say. Plus, the government is hiring cybersecurity talent as well.
“Clearly, there's a massive cyber workforce shortage, not just in healthcare, but across all industries,” Riggi says.
The government could help by offering programs to repay student loans for those willing to take cybersecurity jobs in hospitals and healthcare for a certain amount of time after graduation, Riggi suggested. The government could also look to retrain veterans for cybersecurity jobs after they’ve completed their time in the military, since those individuals already have a record of public service.
Riggi said the government should try “appealing to people's patriotism, and sense of purpose and mission.”
Even with a dip in ransomware attacks, health systems and hospitals must remain vigilant against cyberattacks. Experts say they will remain targets, since attackers know hospitals need their computer networks, including their electronic health systems, and health data remains highly valuable.
Hospitals also face the threats of cyberattacks launched by other countries, and that’s where the government is going to have to help protect health systems. Ransomware groups supporting Russia have targeted U.S. hospitals, experts say.
“If a nation-state comes after a company or comes after a hospital system, the nation-state is going to be successful, because they have access to resources that no individual company can bring to bear to protect themselves,” Zoller said at the HIMSS conference.
“So I think that's why collaboration between the private sector and critical infrastructure sectors, the owners and operators of critical infrastructure in private industry, and the federal government is critical.”