Cybersecurity in Hospitals and the Public Health Sector

Healthcare cyberattacks continue to increase in frequency. The primary methods used in these attacks include phishing and email compromise (e.g., ransomware and other malware), fraud scams, network server breaches, inappropriate access to medical records, insider threats, and standard theft. In 2022, HHS published The Impact of Social Engineering on Healthcare, which found that phishing attacks were the top threat, representing 45% of all attacks. Ransomware (most commonly delivered through phishing emails, malicious links, or malicious advertising) accounted for another 17%, leaving almost two-thirds of all attacks deriving from these two vectors. Reporting on attacks against healthcare organizations outlines some malware and techniques used in recent years. The main takeaway for most practitioners is understanding every employee has a part to play in keeping organizations safe. The most robust and impactful defenses can be ineffective if employees fall victim to phishing attacks or fail to follow established protocols.

Hospital Corporation of America (HCA) Healthcare, one of the nation’s leading providers of healthcare services, was recently targeted. Their data breach was one of the largest healthcare breaches in history, involving at least 11 million patients residing in 20 U.S. states. Additional notable cyberattacks on healthcare organizations in 2023 include:

• 9 million patients in May at Managed Care of North America (Georgia)
• 9 million patients in May at PharMerica (Kentucky)
• 4 million patients in February at RMG, LMO, ADOC & GCMG (California)
• 2 million patients in March at Cerebral, Inc. (Delaware)
• 5 million patients in June at Enzo Clinical Labs (New York)
• 5 million patients in April at Harvard Pilgrim, Point 32 Health (New Hampshire)
• 997K patients in March at Zoll (Massachusetts)
• 618K patients in February at CentraState Healthcare System (New Jersey)
• 559K patients in April at Murfreesboro Medical Clinic (Tennessee)

The recent HCA data breach is the 4^th largest cyberattack on a healthcare organization in the U.S. The top 3 healthcare cyberattacks involved:

• 79 million patients in 2015 at Anthem (Indiana)
• 21 million patients in 2018 at American Medical Collection Agency (New York)
• 11 million patients in 2014 at American Medical Collection Agency (Washington)

Healthcare Cyberattacks Reported – The Numbers

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Breach Portal tracks breaches of unsecured protected health information when the event affects more than 500 patients, a reporting requirement under the HITECH Act. As of August 15, 2023, there were 901 breaches reported within the last 24 months (with the Breach Portal using a rolling report where older reports drop off and new ones are added as the calendar moves), including 355 from January to July 2023 (compared to 224 over the same period in 2022).

The healthcare industry is targeted based on the lucrative nature of its records, its vulnerability, and its visibility as this industry is considered one of the country’s 16 Critical Infrastructure Sectors. According to the Cybersecurity & Infrastructure Security Agency (CISA):

There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.

Healthcare is vulnerable and targeted, in part, due to the rapid adoption and deployment of technology driven by the COVID-19 pandemic and a lack of available cybersecurity talent to harden networks and strengthen defenses. The rapid scaling and implementation of technology to meet needs and demand during the pandemic produced a larger “attack surface that was less well defended.” As hospitals focused on patient care, the attacks increased, stretching already thin resources to the limit, further constraining the ability to invest in additional security. As the industry works to close the gaps, recruitment and retention of cybersecurity professionals is a challenge, as lack of talent creates intense competition for services across industries.

The Healthcare and Public Health sector is the hub that protects all the other sectors against natural disasters, infectious diseases, outbreaks, and even terrorism.

Additionally, the compromised patient information (including credit card information, health insurance information, clinical detail) is worth a lot of money. The healthcare industry has increased its use of remote data, leaving each organization to address new vulnerabilities. Clinical workers need to have easy, streamlined processes to ensure timely care to patients. With the myriad of devices used in patient care, clinical workers are not always trained on cybersecurity measures, even though workers share data for patient care. Lack of training and outdated technology makes healthcare a desirable target and increases the healthcare industry’s challenges. An increase in remote, off-site work creates new challenges for non-clinical workers. Studies show workers have become more comfortable using company computers for non-related work items, such as checking personal emails, social media, shopping, etc.

Not only is the information available in the healthcare setting valuable (with each healthcare record worth up to 10 times that of credit card numbers), but the attack surface is vast. According to the Healthcare Information and Management Systems Society (HIMSS) (a nonprofit organization focused on improving healthcare worldwide through information and technology), in addition to standard attack vectors, the attack surface includes:

[V]arious types of specialized hospital information systems such as EHR systems, e-prescribing systems, practice management support systems, clinical decision support systems, radiology information systems and computerized physician order entry systems. Additionally, thousands of devices that comprise the Internet of Things must be protected as well. These include smart elevators, smart heating, ventilation and air conditioning (HVAC) systems, infusion pumps, remote patient monitoring devices and others.

Implications of the Attacks

The financial impacts of cyberattacks on healthcare organizations can be significant. Beyond the obvious implications if the hospital chooses to pay the ransom, there are other factors, such as HIPAA fines, cost to contact impacted patients, re-educate staff, and regain trust in the communities they serve. The financial impact often costs healthcare organizations millions of dollars for one attack. It is estimated that cyberattacks’ economic impacts on healthcare organizations are three times higher than on other industries. IBM Security’s Cost of a Data Breach Report 2023 states healthcare data breach costs increased 53.3% from 2020 to 2023 and marked the 13^th year in a row as the sector with the most expensive breaches, averaging almost $11 million per breach. The recovery cost for a cyberattack can be significant enough to shutter smaller hospitals, which may face additional barriers in adequately training security staff or affording cybersecurity insurance. The impact of a lost hospital is substantial in any location, but the loss of hospitals in rural areas can be devastating as the loss of a local facility may add significant commute and response times for medical care. There may also be an increased demand for service at remaining facilities, or patients may forego care entirely.

Attacks on healthcare are not just financial attacks – they are attacks on human life. These attacks put patients at risk, such as disrupting patient monitoring during electronic system downtime. The inability to see records, test results, appointments, scans and images, and real-time monitors can delay or prevent appropriate patient care. Additionally, manual updates to patient records can lead to a lack of communication, delay in care, or increased errors in patient care. System downtime can also lead to the cancellation of scheduled and elective care, ambulance diversion, and loss of communication with other hospitals and healthcare entities. Cyberattacks during periods of increased vulnerability – such as COVID-19 when the healthcare industry was already under significant strain – can lead to increased risk and impact on patients.

In the wake of the cyberattack on Scripps Health (San Diego, CA) in 2021, the University of California San Diego Health Center (UCSDHC) published a report tracking impacts on their hospital from the attack on the neighboring facility. The report noted increases in:

[P]atient census, ambulance arrivals, waiting room times, patients left without being seen, total patient length of stay, county-wide emergency medical services diversion, and acute stroke care metrics.

These findings demonstrate the increased strain on functional hospitals in the wake of cyberattacks and follow the CISA reporting on the impacts of COVID-19 on the healthcare infrastructure. The CISA report noted the larger the strain, the larger the degradation in patient care and the cascading effects on infrastructure overall. The results of a cyberattack hitting a hospital or other healthcare facility ripple throughout the community as a wide-scale assault, not a pinpoint strike.

There have been growing concerns in recent years about the impact on patients in the event of cyberattacks, for example:

• A 2019 attack at Springhill Medical Center, Alabama, resulted in a lawsuit alleging responsibility for the death of a newborn. The lawsuit states that the medical center did not properly notify the patient of the cyberattack and led the patient to believe that operations were normal when monitoring was not up to par. Lack of fetal monitoring resulted in staff not realizing that the umbilical cord was wrapped around the baby’s neck, resulting in brain damage and ultimate death.
• In 2020, a patient traveling via ambulance in Germany was diverted to another hospital due to an attack, delaying care for an hour – the patient died shortly after.
• A 2022 claim at a hospital in Des Moines, Iowa, stated that a child received five times the normal dose of a medicine due to system downtime due to an attack.
• In 2022, a patient’s cancer treatment was delayed for a week due to an attack that prevented clinical staff from accessing the patient’s treatment plan.

A 2021 Ponemon Institute study, Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care, surveyed more than 600 practitioners in healthcare organizations regarding cyberattacks and outcomes. Approximately one-quarter of respondents reported increased mortality rates after attacks, and over two-thirds noted disruption of care.

Path Forward – What Is Needed?

The need for additional support and training for healthcare has been discussed well beyond the sector, with two pieces of legislation introduced at the federal level. In 2022, the Healthcare Cybersecurity Act of 2022 was introduced in the Senate and House and would require HHS “to undertake activities to improve the cybersecurity of the healthcare and public health sector.” Under this legislation, HHS would coordinate with CISA, which would provide threat indicators and defense measures available to all entities receiving information through HHS programs. Further, HHS would be required to provide training on risks and mitigation strategies to those across the sector and identify risks in rural, small, and medium-sized entities, workforce shortages, and other challenges. In 2023, senators also introduced S.1560, the Rural Hospital Cybersecurity Enhancement Act, which would require CISA:

[T]o develop and annually report to Congress about a workforce development strategy to address the unmet need for cybersecurity professionals in rural hospitals…[and] disseminate materials that rural hospitals may use to train staff about cybersecurity.

Both pieces of legislation remain in the introductory stages with respective committees.

While Congress works to provide additional resources at that level, federal agencies and public-private partners continue to provide resources and training for the Healthcare and Public Health sector. CISA offers a variety of resources across critical infrastructure sectors, from news and updates on threats to training, resources, and services. These resources range from how to set up an anti-phishing program for an organization to cyber-incident response and are identified by the topic and level (foundational to advanced). Training opportunities include cyber range events, exercises, incident response, insider threats, and more. CISA also offers several programs, including the Cybersecurity Awareness Program, which can provide individual users with additional information, resources, and tools to stay safe online. Resources specific to the Healthcare and Public Health sector include ransomware awareness and updates, information on malware and threat actors targeting healthcare, and explanations of Domain-Based Message Authentication, Reporting, and Conformance (DMARC) and Multi-Factor Authentication (MFA).

The U.S. Department of Health and Human Services also provides resources and training to the Health and Public Health Sectors. Many of these offerings are hosted and managed by the HHS’ 405(d) Program, which is a collaboration between HHS and industry:

[T]o align healthcare industry security practices to develop consensus-based guidelines, practices, and methodologies to strengthen the healthcare and public health (HPH) sector’s cybersecurity posture against cyber threats.

The initiative offers publications, education, news, and a resources library free of charge, including best practices, infographics, analyses, and more. In April 2023, the HHS 405(d) Program released three additional resources: Knowledge on Demand, Health Industry Cybersecurity Practices (HICP) 2023 Edition, and Hospital Cyber Resiliency Initiative Landscape Analysis.

The Multi-State Information Sharing and Analysis Center (MS-ISAC) is a federally funded organization that provides incident response support and information sharing to state, local, tribal, and territorial (SLTT) organizations at no cost, including free access to the Malicious Domain Blocking and Reporting (MDBR) tool. This tool prevents users’ systems from connecting to harmful websites and mitigates malware, ransomware, phishing, and other threats.

HIMSS offers training and collaboration on safety and security matters and seeks to enhance systems’ interoperability across healthcare. Organizations with local chapters can provide additional training, like the Cloud Security Alliance, ISACA, the International Information System Security Certification Consortium (ISC2), Information Systems Security Association (ISSA), and many others, depending on the budget and scope desired.

Conclusion

Ransomware and data breaches will likely continue to increase before effective controls can be found and implemented. Engaging with law enforcement partners before and immediately following a breach are opportunities to improve security and minimize impacts for organizations. As noted previously, the value of healthcare records and large attack surfaces make healthcare an attractive target, and one where cybersecurity often is seen as secondary as organizations focus on patient outcomes and scarce resources. A renewed focus on training and keeping up with changes in attack vectors and technical details of attacks will be crucial in the months and years ahead. With phishing the leading attack vector, concentrating on awareness and training in that area can provide the most significant return on investment. Engaging with users and building a culture of compliance and awareness, not for the program’s sake but for the system’s security and the safety of the patients, should be a focal point for investment and development.