Strengthening our Cybersecurity Efforts to Protect Patients
This week’s cyberattack on Change Healthcare, one of the nation’s largest health care technology companies, is yet another unwelcome reminder of the ability of cybercriminals to take advantage of our mission of caring by disrupting daily operations.
Change Healthcare in 2022 merged with Optum, which is a major provider of services in technology, data, pharmacy care and direct health care, and the cyberattack may carry serious repercussions across the wider health care field.
The AHA yesterday sent a Cybersecurity Advisory recommending that all health care organizations that were disrupted or are potentially exposed by this incident consider disconnection from affected systems until it is independently deemed safe to reconnect. We also hosted a call today to provide hospital members the latest on the situation.
Once again, we see that as technology evolves, so has the frequency and sophistication of the high impact ransomware attacks which shut down medical technology in hospitals and health systems and can result in very serious disruption and delay to health care delivery, ultimately risking patient safety. This incident clearly demonstrates the high cyber risk exposure we face as a field through mission critical third parties and their technology.
Currently, a serious ransomware attack is launched against a U.S. health care provider approximately every other week.
These are threat-to-life crimes, and the AHA has been at the forefront of the effort to fight back, working closely with federal agencies and the hospital field to build trusted relationships and channels for the mutual exchange of cyber threat information, risk mitigation practices and resources to implement these practices.
As a member of an advisory cybersecurity working group, we provided input to the Department of Health and Human Services that resulted in last month’s release of voluntary Cybersecurity Performance Goals for the health care sector, which include 10 “essential” and 10 “enhanced" goals.
These performance goals are targeted at defending against the most common tactics used by cyber-adversaries, and we recommend that the entire health care sector implement these practices.
At the same time, as HHS looks to propose permanent enforceable standards, it is important that any forthcoming regulations must not unfairly penalize hospitals and health systems or hold them accountable for cybercrimes they have no control over, including cyber risk we are exposed to through insecure third-party technology and business associates.
America’s hospitals and health systems are dedicated to protecting their patients and workforce against cyberattacks that can disrupt patient care, risk patient safety and erode privacy by the loss of personal health care data. However, the formidable resources of the nation-state sponsors behind so many of these cyberattacks means that foiling their every attempt is not a realistic goal, and care providers should not be blamed for that.
Whether hostile nation states directly sponsor such attacks or provide safe harbor for hackers and ransomware gangs, their complicity is clear and the complexity of defending against the attacks even clearer.
Meanwhile, the AHA continues to work publicly as well as behind the scenes with government and private-sector partners to enhance the ability of the health care field to protect patient access to care and reduce the ability of cyber bad actors to pose threats or hold care systems for ransom.
We must be just as relentless in observing best practices and keeping up our guard as our cyber-adversaries are in attempting to extort money or steal confidential information.
This webpage is the best first stop to learn of the many resources AHA provides in the fight against cybercrimes directed against our field. John Riggi, a highly decorated 30-year veteran of the FBI who serves as national advisor for cybersecurity and risk for AHA members, is also a terrific up-to-date resource for hospital and health system leaders. You can view his recent interview on protecting against cyber threats here, or listen to his podcast with the recently retired section chief of the FBI’s Cyber Criminal Operations Section here.
When it comes to cybersecurity, we're all in this together. The AHA will continue to work collaboratively with all partners to enhance cybersecurity efforts for the entire health care field, and ensure that patients continue to receive the safe, reliable, quality care they expect and deserve.