The health care field continues to be a top target for cybercriminals. According to data from the Department of Health and Human Services (HHS), there has been an 84% increase in the number of data breaches against health care organizations from 2018-2021, with 324 reported in the first half of 2022 alone.
The attacks have different goals and range in severity. In some cases, cybercriminals steal Social Security numbers and other personal data. Other breaches pose a direct threat to patient safety by shutting down or compromising medical equipment and systems that are critical to patient care.
October is National Cybersecurity Awareness Month. It’s a good time to recognize that cyberattacks directed against hospitals and health systems – and the patients they care for – are relentless.
In fact, our entire field remains at risk from new Russian and North Korean ransomware, as well as the increasing threat to network and internet-connected medical technologies, such as medical devices, that are vulnerable to outside attack.
A cyberattack can be directed at any organization. But that doesn’t mean care providers must be helpless victims. There are tools and resources available to help keep cyber defenses at their peak and lessen the likelihood of serious damage.
Sharing threat information is key. For example, a timely tip to the FBI last year helped to thwart an Iran-sponsored cyberattack on Boston's Children's Hospital. The bureau’s quick response halted the electronic intrusion in its tracks before it could damage the hospital's IT network.
The AHA has long been committed to helping hospitals and health systems guard against and repel cyber threats that can compromise operations and threaten patient care. AHA’s National Advisor for Cybersecurity and Risk John Riggi, a former FBI cyber executive with decades of experience on the front lines and extensive connections with federal law enforcement, leads these efforts.
In addition to providing support and guidance to individual hospitals and health systems, AHA has created a robust menu of tools and resources for members to develop the defenses they need to protect patients and the communities they serve.
On our webpage, you can stay up-to-date on the latest cybersecurity news, including an AHA podcast with the deputy director for the Cybersecurity and Infrastructure Security Agency (CISA), as well as learn about AHA-vetted cybersecurity services that can work with your organization to realize maximum protection.
We also are working on legislative solutions to support the field. The AHA has expressed strong support for the Healthcare Cybersecurity Act (S.3904/H.R.8806), which would improve collaboration and coordination between CISA and HHS. We also have endorsed the Protecting and Transforming Cyber Health Care (PATCH) Act (S.3983/H.R.7084), legislation designed to improve the security of medical devices.
And last year, we worked closely with federal partners to elevate the investigative priority of ransomware attacks from economic crimes to what they really are: threat to life crimes.
We will continue to work collaboratively with federal law enforcement to protect care providers. At the same time, the great majority of these cyberattacks originate from overseas, where cyber gangs often collude with hostile nation states to launch these disruptive attacks against us. Our cyber defenses alone cannot eliminate these sophisticated cyberattacks, which threaten public health and safety and violate U.S. and international law. As such, the federal government has the primary role in stopping or limiting their impact.
We will continue to strongly advocate that the federal government use all elements of national power to disrupt and deter these cyber adversaries. When it comes to cybersecurity, it is truly “one team, one fight” – health care is defense and we need the federal government to be offense.
As you continue to shore up your cyber defenses to deflect these attacks and mitigate their impact, please count on the AHA to be your full partner in this effort.