Hospitals should prepare for cyberattacks from Iran

With the U.S. at war with Iran, the healthcare industry should be prepared for potential cyberattacks, including those aimed at hospitals and health systems, authorities say.

Stryker, a medical technology company, says it is the victim of a cyberattack. An Iranian hacking group, Handala, has claimed it is behind the attack. A Michigan-based company, Stryker produces medical and surgical equipment used by hospitals around the world.

Stryker said on its website Sunday that all of its products “including connected, digital, and life-saving technologies, remain safe to use. This event was contained to Stryker’s internal Microsoft environment, and as a result it did not affect any of our products—connected or otherwise.”

John Riggi, national adviser for cybersecurity and risk for the American Hospital Association, told Chief Healthcare Executive® in an interview Monday that he’s not aware of any direct threats to hospitals from the Stryker attack. But he says he’s concerned, particularly in light of Handala warning of additional strikes against the United States.

“We are recommending hospitals really start to examine their life-critical and mission-critical supply chain, and really look at those technologies that are network and Internet-connected that are critical for life-saving and life-sustaining services,” Riggi says.

Riggi says the association is also monitoring to see the potential impact if Stryker’s systems remain offline for an extended period. For now, Riggi says health systems likely have adequate supplies on hand.

“As the attack extends and Stryker’s supply ordering system remains offline, it could result in some disruption,” he says. “But that's why we're working very closely with hospitals and conducting surveys to understand what the disruption is presently, what they anticipate the disruption to be, how many days of supplies they have on hand for certain things, such as orthopedic implants, for example.”

Plenty of health systems have been reaching out to the hospital association for guidance on the attack. They are worried about network connectivity, and some hospitals have pre-emptively decided to disconnect from Stryker and block their network connections, he says.

“That's always a balance, because if you block prematurely, you may actually be causing more disruption than if you stayed connected, especially if we have no indication that it's malware. And Stryker states that the situation has been contained,” Riggi says.

‘Heightened vigilance’

Riggi, who spent nearly three decades with the FBI, points to the potential of possible cyberattacks due to the conflict in Iran, as well as tensions with Russia, China, Venezuela and Cuba.

“This is one of the riskiest geopolitical environments I've seen in 40 years, because of all these tensions with these adversaries,” Riggi says. “And my concern is that these adversaries, again, may combine capabilities and without attribution, perhaps utilizing proxies to conduct cyberattacks against us.”

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and other federal groups re-circulated an advisory this month warning that Iranian groups could target critical infrastructure, including the healthcare sector.

Based on the attack on Stryker, Riggi says it appears the Iranian group is targeting third-party providers, including technology providers and key suppliers.

Even before the U.S. engaged in military action, Iran has been a prime source of ransomware attacks, Riggi says.

“Iran has possessed a very capable offensive cyber capability, which they've demonstrated over the years in attacks against U.S. critical infrastructure,” Riggi says. “So we remain definitely at heightened vigilance, both not only on cyber security, but physical security as well.”

He says pro-Iranian hackers or Iranian state-directed groups have targeted Israel’s health sector, including hospitals, in recent months.

“We hope we don't see that here, because, again, hospitals are civilian infrastructure, and really, any disruption or delay to hospital services could create a threat-to-life situation, as we've seen with other ransomware attacks,” Riggi says.

Hundreds of cyberattacks have affected hospitals and health systems in recent years. Increasingly, some ransomware groups have gone after vendors and third parties to access hospitals and health systems.

Two years ago, a ransomware group attacked Change Healthcare, resulting in the most disruptive cyberattack ever in the history of the U.S. healthcare industry. More than 190 million Americans were affected, and nearly all hospitals suffered problems, because so many health systems use Change Healthcare for various business functions.

Riggi warns that hackers from groups in Iran - or elsewhere - are going after the many business partners hospitals use on a daily basis.

“I think our adversaries, whether they're criminal organizations or nation-state sponsored, have mapped the healthcare sector,” he says. “They have mapped the sector and identified key mission-critical and life-critical third party providers that if, in fact they are attacked, there'd be a massive cascading disruptive effect across the entire sector.”

With that in mind, hospitals and health systems should be taking a closer look at their vendors and businesses.

“What we're asking our hospitals, and have been especially after Change Healthcare, is to identify their mission-critical and life-critical, third-party service providers, third-party technology providers and third-party supply chain, and then understand what would be the impact if they were attacked or the hospital lost internet connectivity to them,” Riggi says.

Strong response plans

Now more than ever, hospitals need contingencies and strong response plans if they suffer disruptions due to attacks aimed at third-party providers or if the hospital itself is attacked.

“It's something that we have been really focused on, in helping the hospitals understand the difference between what's generally been characterized as business continuity versus clinical continuity, and understanding the impact to patient care directly,” Riggi says.

Health systems need to map the impacts if there is a loss of internet connectivity, or the internal network goes down, and how they can continue to deliver care.

Hospitals should have plans for diagnosing stroke patients if PACS (Picture Archiving and Communication System) systems are unavailable, Riggi suggests. Other steps include dispensing medication, since drug cabinets are connected to the internet.

“How do we deliver radiation oncology without a linear accelerator that needs a network or internet connection to function, and also to deliver the treatment plan? That's the level of granularity we need to get down to, because of our complex digital environment that we operate in,” Riggi says.

He says it’s difficult to prepare for all the impacts of a computer outage.

“It's a daunting task,” Riggi says. “So what we try to have folks focus on first, is the most logical, common sense, life-saving, life-sustaining services and supplies.”

The Joint Commission has published guidance for hospitals in maintaining operations in the event of a cyberattack. Hospitals should be prepared to have life-saving technology offline for four weeks or longer, the commission says.

ECRI, a patient safety organization, has named “digital darkness” as one of the leading threats to patients. Dr. Marcus Schabacker, the president and CEO of ECRI, told Chief Healthcare Executive in a February interview that hospitals should recognize outages, tied to cyberattacks or natural disasters, are essentially inevitable.

“It's not a question of if they happen,” he said. “The question is, when it's going to hit you. And if you are woefully unprepared, then you put patient lives at risk.”