Keeping Hospitals and Patients Safe against Cyberattacks

Feb 03, 2023 - 10:05 AM by
Rick Pollack, President and CEO, AHA
Rick Pollack, American Hospital Association CEO and President standing in front of United States flag and the AHA seal.

Cyberattacks are increasing globally and in the U.S., with health care organizations, especially hospitals and health systems, being prime targets.

A recent report from Check Point Research found that:

  • The U.S. saw a 57% increase in the number of cyberattacks in 2022.
  • Health care organizations in the U.S. suffered an average of 1,410 weekly cyberattacks per organization, which is 86% higher than 2021.
  • The health care sector ranked second out of all sectors for the most cyberattacks in the U.S.

The AHA has long been committed to helping hospitals and health systems defend against and deflect cyberattacks that can threaten patient care and compromise patient safety. AHA’s National Advisor for Cybersecurity and Risk John Riggi, a former FBI executive with decades of experience on the front lines of cyber issues, leads these efforts.

In addition to providing support to individual hospitals and health systems, AHA continues to share information and guidance with the field on the latest cyberthreats. We also have a full suite of tools and resources for members, including AHA-vetted cybersecurity services provided by outside consultants that have a proven track record of working with organizations to develop the defenses needed to protect patients and communities.

Hospitals and health systems have prioritized protecting patients and defending their networks from cyberattacks. However, we’ve stressed that an all government approach is necessary given that the field continues to face targets from sophisticated cyber adversaries and nation-states, such as Russia, China, Iran and North Korea.

That’s why the AHA continues to work closely with federal partners, including the FBI, Department of Health and Human Services, Cybersecurity and Infrastructure Security Agency and many others on efforts to prevent and mitigate cyberattacks. And we are having success.

Just last week, the FBI, Department of Justice and other law enforcement agencies announced major action to disrupt and dismantle the Hive ransomware gang that targeted hospitals and other critical infrastructure. Hive was particularly active in targeting our field, using a sophisticated ransomware extortion plot to shut down hospital networks, encrypt and steal hospitals’ most sensitive data, hold it hostage, and disrupt and delay health care delivery.

AHA is pleased to see a notable shift in how federal agencies tackle cyberthreats against our field. We have worked closely with federal partners to elevate the investigative priority of ransomware attacks from economic crimes to what they really are: crimes against human life that have serious consequences for patients. The strategies that helped detect, deter and disrupt terrorist organizations are now being applied to protect the health care sector. The AHA supports these efforts.

As we continue to partner with federal agencies to mitigate cyberthreats, we also are working with Congress and the Administration to advance policies that assist in protecting health care services, data and patients from cyberattacks.

Among other priorities, we’re advocating for policies to increase government cybersecurity assistance, increase collaboration and coordination among federal departments and agencies, recruit additional cybersecurity workforce, improve medical device security and enhance information sharing.

We’re also pushing for a change in how victims of cybercrimes are viewed. Those targeted by cyberattacks should be supported, not assigned blame. It seems like a simple thing, but too often there is an unfortunate narrative in the public that targeted organizations were at fault or unprepared.

We are pleased that Congress passed legislation providing regulatory relief for HIPAA-covered victims of cyberattacks who can demonstrate they have been following recognized cybersecurity practices, and we are supportive of a “safe harbor” for health care organizations that implement recognized security measures.

Hospitals and health systems will continue to prioritize cybersecurity efforts to protect their patients. And the AHA will continue to be your partner in those efforts.

Related News Articles

Headline
CISA extends comment period for proposed rule on cyber incident reporting
The Cybersecurity and Infrastructure Security Agency May 3 extended the comment period to July 3 for the April 4 proposed rule that would implement cyber…
Headline
White House releases critical infrastructure memo empowering CISA to strengthen health care security 
The Biden Administration April 30 released a memo announcing updated critical infrastructure protection requirements, which include the Cybersecurity &…
Headline
Agencies issue cyber advisory on North Korean spear phishing efforts 
The FBI, State Department and National Security Agency issued a warning about attempts by North Korean state-sponsored cyberthreat actors to exploit improperly…
Headline
Lawmakers grill UHG CEO at hearings following Change Healthcare cyberattack
Senate and House lawmakers May 1 grilled UnitedHealth Group CEO Andrew Witty about the continued fallout from the Feb. 22 cyberattack on Change Healthcare —…
Headline
AHA advertorial: Is UnitedHealth Group ‘Too Big To Fail’? 
“If you are asking yourself how a cyberattack on a single company could cause such massive damage, you are asking the right question,” an AHA advertorial in…
Headline
AHA provides update to Senate, House committee leaders ahead of hearings on fallout from Change Healthcare cyberattack 
The AHA April 29 provided the Senate Committee on Finance and House Energy and Commerce Subcommittee on Oversight and Investigations an update regarding…