Lawmakers are urging the Biden administration to strengthen the federal government’s cyber defenses in the health care sector amid a spike in cyberattacks, a push industry leaders see as a way to help protect a critical sector that stores sensitive information.
In a letter addressed to the Department of Health and Human Services (HHS), Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wis.) urged the agency to better protect the health care and public health sector from the growing number of cyber threats.
“With cyber threats growing exponentially, we must prioritize addressing the [health care and public health] sector’s cybersecurity gaps,” wrote King and Gallagher, who both co-chair the Cyberspace Solarium Commission.
“Ransomware attacks on the [health care and public health] sector have skyrocketed in the past two years as opportunistic criminals recognized that hospitals may pay quickly to resolve issues and protect patient safety,” the letter said.
The lawmakers additionally requested an urgent meeting with health officials in the Biden administration for an update on their current cyber posture. King and Gallagher added that they are also concerned about HHS’s lack of timely information sharing about ongoing threats with industry partners.
“We certainly applaud Senator King and Representative Gallagher’s letter to HHS and the fact that they recognize the intense cyber threat that we are facing as a sector right now,” said John Riggi, the national adviser for cybersecurity and risk at the American Hospital Association.
Riggi added that cyberattacks increased dramatically amid the pandemic, posing a serious risk to a sector that was already vulnerable.
He explained that the health care sector is a prime target for cyber criminals because they understand that the priority for health care workers is to deliver care and save lives, which increases the likelihood that hospitals will pay ransoms in order to resume their operations.
“They understand that we are vulnerable, they understand that we in health care possess all kinds of valuable information,” Riggi added.
Denise Anderson, president and CEO of the Health Information Sharing and Analysis Center, said that patient data is very valuable to criminals and can be used to steal identities.
She added that cyber criminals targeting the health care sector are also after intellectual property related to medical research and technology.
“The health sector is highly interconnected and sensitive data is continuously moving between entities,” Anderson said.
Another challenge the health care sector faces is that medical devices, which are expensive and operate 24 hours a day, cannot easily be taken offline to fix vulnerabilities and are not easily replaceable because some run on operating systems that are no longer supported, Anderson explained.
A recent report from Kroll, an investigation and risk consulting firm, found a 90 percent increase in the number of attacks against health care organizations in the second quarter of this year compared to the first quarter.
The report also found that ransomware is the most common type of cyberattack used against the health care sector, closely followed by email compromise.
“Across the board, ransomware groups continue to use tried and tested techniques to compromise their victim’s environments, taking advantage of security weaknesses to gain footholds into systems and launch malicious payloads,” the report said.
“This makes maintaining and building cyber resilience a priority to avoid being compromised by a ransomware attack,” the report added.
Riggi said that his organization and the federal government strongly discourage hospitals from paying ransoms because he said doing so emboldens criminals to continue attacking the health care sector and makes carrying out such attacks a lucrative business for them.
In addition, ransom payments can also get into the hands of international criminal groups that often work on behalf of adversarial nation-states like China, Russia, Iran and North Korea, Riggi said, adding that essentially these groups also represent a national security threat.
In July, U.S. federal agencies issued a warning to the health care sector of a ransomware known as “Maui” that has been linked to the North Korean government.
The agencies said that Maui ransomware has been used by North Korean-sponsored hackers since at least last spring to target health care and public health sector organizations.
The government agencies also discouraged health sector organizations from paying ransoms because they said doing so does not guarantee the recovery of stolen data. They instead recommended that businesses adopt cybersecurity best practices and report ransomware attacks to law enforcement.
The FBI has been actively disrupting cyberattacks against hospitals. In June, the agency said it thwarted a cyberattack last summer that intended to disrupt the network of the Boston Children’s Hospital.
According to the FBI, Iranian-sponsored hackers were behind the attack. FBI Director Christopher Wray said at the time that the attack was “one of the most despicable cyberattacks” he’s ever seen.
For the health care sector to effectively counter these growing threats, it needs to substantially increase its human and financial capital, Riggi said. But that will prove to be a challenge, as there is a massive labor shortage of cyber professionals across industries.
“Unfortunately, we in health care, just like the federal government and all sectors, are facing a massive shortage of cybersecurity personnel,” Riggi said.
“On one hand, we all want to increase our cyber defenses, but we’re also competing for the same limited pool of cybersecurity professionals,” he added.
Despite the labor shortage, hospitals have significantly increased their cybersecurity budget and have attempted to hire where they can to meet the growing demands of protecting health facilities from cyberattacks, Riggi said.
“Almost every hospital CEO that I speak to now ranks cyber risks as their number one or number two top enterprise risk issue,” he added.
Riggi and Anderson both agreed that the government and the private sector should continue to work together to combat cyber threats. They recommended that both sectors continue to share information as well as best practices to help mitigate threats.
“It is absolutely important for the public and private sectors to work together to combat [ransomware] thefts,” Anderson said.
“Government can provide incentives to help hospitals and other health delivery organizations implement cyber resources such as staff and tools, and cybersecurity best practices,” she added.
A bipartisan bill was introduced in March to do just that. The Healthcare Cybersecurity Act, a piece of legislation co-sponsored by Sens. Jacky Rosen (D-Nev.) and Bill Cassidy (R-La.), would require that the Cybersecurity and Infrastructure Security Agency (CISA) collaborate with HHS to improve cybersecurity standards in the health care and public health sector. It would also require both agencies to share information with the private sector to increase cyber resilience.
“Cybersecurity in the health care sector is fundamentally about the ability to deliver clinical care and ensure patient safety, which is why cybersecurity must be a top priority for every health care organization, including for boards of directors and c-suite executives,” said Eric Goldstein, CISA’s executive assistant director, in a statement to The Hill.
“A key step toward greater resilience is operational collaboration with government partners such as CISA to rapidly exchange, enrich, and amplify actionable information,” he added.