Responding to the severity of cyber threats to the healthcare sector, United States Sen. Gary Peters (D-MI), Chairman of the Homeland Security and Governmental Affairs Committee, convened a hearing this week to address those threats and what the government and providers can do to stop breaches.
“Cyber-attacks on hospitals, and other health care providers, can cause serious disruptions to their operations and prevent them from effectively providing critical, lifesaving care to their patients,” Peters said. “Breaches can also lead to the exposure of sensitive personal and medical information of patients and health care personnel. These relentless cyber-attacks show that foreign adversaries and cybercriminals will stop at nothing to exploit cybersecurity vulnerabilities our critical infrastructure and most essential systems.”
While cybersecurity threats have increased dramatically across the board in recent years, the healthcare sector faces a particular focus from cybercriminals. Reports indicate that ransomware attacks on U.S. hospitals have as much as doubled since 2016, compromising sensitive medical information and directly affecting patient safety and care.
One study, led by assistant professor Hannah Neprash of the University of Minnesota School of Public Health, found that clinics were targeted in 58 percent of healthcare attacks, followed by hospitals at 22 percent, outpatient surgical centers (15 percent), mental health facilities (14 percent) and dental offices (12 percent). Approximately 44 percent of the attacks impacted care delivery, and while this can be minor, in some extreme cases, they have been credited with deaths. According to a 2021 report from the IT research group the Ponemon Institute, about one in four healthcare delivery organizations credited ransomware attacks with an increase in deaths.
Witnesses at last week’s Senate hearing included Scott Dresen, senior vice president of information security and chief information security officer for Corewell Health; Kate Piece, senior virtual Information security officer for Fortified Health Security; Greg Garcia, executive director of cyber security on the Healthcare and Public Health Sector Coordinating Council; and Stirling Martin, senior vice president and chief privacy and security officer for Epic Systems.
Collectively, they discussed the challenges facing small and rural hospitals, particularly due to limited financial resources and lack of experience with such threats. CISA and the Department of Health and Human Services (HHS) were also a focus, addressing what actions they could take at the federal level to support the healthcare sector. Further, they delved into how these attacks can impact patient care as the healthcare sector struggles to respond. The threat, they concluded, is significant, and witnesses made recommendations that included items like implementing minimum security standards, funding assistance of various sorts from the federal government, greater coordination, or even, as recommended by Pierce, a new allowance for declarations of emergency for cyber attacks on healthcare systems.
Preparation and response are much trickier than the attacks themselves, Martin said.
“In closing, people often ask me what keeps me up at night. It’s the reality that we have to be perfect 100 percent of the time, and the bad guys only need to be lucky once,” Martin said.