Keeping Up Our Guard to Protect Patients’ Privacy and Access to Safe Care

Cyber criminals are probing the defenses of health care providers every second of every day. Health care continues to be the number one targeted critical infrastructure sector as bad actors attempt to breach patients’ private data, phish for sensitive information and attempt to extort ransomware payments by disabling information and medical technology systems.

According to the latest figures from the U.S. Department of Health and Human Services’ Office for Civil Rights, almost 400 hacks against health care have been reported this year to date. These hacks, almost exclusively by foreign cyber gangs, have resulted in the compromise of the protected health care information of 74 million individuals.

How has the threat increased?

• The current 2023 figure of 74 million individuals impacted by health care hacks represents a 68% increase from last year’s total of 44 million impacted and an astonishing 174% increase from the 27 million impacted in 2020.
• A significant share of these intrusions involve ransomware attacks accompanied by threats to sell stolen data if the ransom is not paid – “The double extortion method.”
• The majority of the largest health care data breaches in 2022 and 2023 have not been from health care providers, but from third-party technology and service providers that have access to our patient data.

We expect this upward trend to continue as our vast internet-connected networks expand and as long as hostile nation states provide safe harbor for these cyber gangs to attack us.

The AHA has long been committed to helping hospitals and health systems defend against and deflect cyberattacks that can threaten patient care and compromise patient safety. AHA’s National Advisor for Cybersecurity and Risk John Riggi, a former FBI cyber executive with decades of experience on the front lines of cyber, criminal and national security investigations, leads these efforts.

In addition to providing support to individual hospitals and health systems, AHA continues to share information and guidance with the field on the latest cyberthreats. We also have a full suite of tools and resources for members, including AHA-vetted cybersecurity services provided by outside consultants that have a proven track record of working with organizations to develop the defenses needed to protect patients and communities.

Hospitals and health systems have made protecting patients and defending their networks from cyberattacks a top priority. However, given the sophisticated capabilities of cyber adversaries and nation-states, such as Russia, China, Iran and North Korea, an all-of-government and a whole-of-nation approach is needed.

That’s why the AHA continues to work closely with our federal partners, including the FBI, HHS, Cybersecurity and Infrastructure Security Agency and many others on efforts to prevent and mitigate cyberattacks.

In late August, for example, the FBI and its European partners took down a major global malware network used for more than 15 years to commit a gamut of online crimes including crippling ransomware attacks by removing the malicious software agent — known as Qakbot — from thousands of infected computers.

Health care cybersecurity has become a hot-button issue in Washington, and we have worked closely with federal partners to elevate the investigative priority of ransomware attacks from economic crimes to what they really are: crimes against human life that have serious consequences for patients.

The AHA supports the approaches outlined in the March release of President Biden’s National Cybersecurity Strategy  that will help to detect, deter and disrupt future attacks directed against the health care sector.

As we continue to partner with federal agencies to mitigate cyberthreats, we also are working with Congress and the Administration to advance policies that assist in protecting health care services, data and patients from cyberattacks.

One important step forward, the federal PATCH Act (Protecting and Transforming Cyber Healthcare) that mandates medical device manufacturers must meet four requirements for cybersecurity before approval by the U.S. Food and Drug Administration, went into effect on Oct. 1.

We also are pleased that Congress has passed legislation strongly supported by the AHA acknowledging that health care providers deserve support and not blame when attacks occur by providing regulatory relief for HIPAA-covered victims of cyberattacks who can demonstrate they have been following recognized cybersecurity practices. We continue to advocate for a “safe harbor” for health care organizations that implement recognized security measures.

As we observe October as Cybersecurity Awareness Month, we know that cybercrimes affecting the health care sector cannot be stopped cold. No one is immune from these attacks. But we can collectively defend against them and respond to them when they do strike. To attack one of us is to attack all of us.

Hospitals and health systems will continue to prioritize cybersecurity efforts to protect their patients. And, the AHA will continue to be your partner in those efforts.