Keeping Up Our Guard and Fighting Back Against Cybercrime

It seems like barely a week goes by without a new cyberattack that affects health care providers. Often, it’s a ransomware attack conducted by foreign criminal gangs, which are provided safe harbor by hostile nation states, that targets a mission critical third-party service provider or supplier, like the attack on UnitedHealth Group’s Change Healthcare or the recent attack on OneBlood. 

These attacks are designed to cause maximum delay and disruption to patient care, shutting down vital systems and putting patient care and safety at risk. They not only threaten the safety of patients in the hospital, but also threaten the safety of the entire community that depends on the availability of their closest hospital, especially their emergency department.

As John Riggi, AHA’s national advisor for cybersecurity and risk, commented in a recent podcast about the sharp uptick in such incidents, “If there was ever any question that the intent of these gangs was to harm patients, it is clear now that is their fundamental intent. These ransomware attacks are not data crimes, but life-threatening violent crimes. The ransom demand is in fact an extortion based upon the risk to patient safety.”

The AHA has long been committed to doing everything possible to provide our members with the knowledge, tools and support to protect their  ability to provide great care for the patients and communities they serve. Cybercriminal tactics are sophisticated, evolving and relentless. That’s why we continue to call for a whole-of-nation-approach, including support from our federal partners, to bolster cybersecurity efforts and defend against and deflect cyberattacks.

The AHA is working on these efforts in a number of ways.

Information and Resources for Hospitals. The AHA has established strong relationships with federal law enforcement and national security agency partners so we can serve as a primary informational conduit providing the field with timely alerts and advisories that recommend steps hospitals and health systems can take to bolster their defenses, whether by an immediate software patch, creating a long-term incident response plan or other important actions. 

While hospitals and health systems have prioritized cybersecurity, some organizations may lack sufficient resources to fully implement the necessary and rapidly changing cybersecurity defenses. To assist hospitals and help fill the cybersecurity resource gap, the AHA took the initiative to work with the White House and trusted cybersecurity providers included in the AHA’s Preferred Cybersecurity Provider program to develop a package of free and heavily discounted offerings for AHA members. The AHA  worked with Microsoft, Google, AON, Censinet, Critical Insight and Cylera to curate free and discounted services to hospitals across the country. Please view the AHA webpage for more details and specific offers.

Working with Federal Agencies. It is clear by the recent waves of attacks that our cyber adversaries are intent on disrupting health care delivery on a systemic level. It’s also clear that all stakeholders, including all parts of the federal government, need to take steps to respond to this increased threat. That’s why we continue to strongly urge our government partners to do more to disseminate threat intelligence, use all their capabilities — including military and intelligence offensive cyber capabilities — to disrupt these actors before they attack, and prepare to assist when an attack does occur. Defense alone will not deter our cyber adversaries. A strong, swift and certain response from the federal government and allied nations to increase risk and consequences for cyber adversaries must also be part of the solution.

Meanwhile, the Administration continues to discuss potential regulations aimed at strengthening cybersecurity. We are working to ensure that whatever approach is taken is consistent with the Department of Health and Human Services’ voluntary Cybersecurity Performance Goals that we helped develop and that we urge all hospitals to adopt; that any standards apply to third parties we interact with across the health care sector — particularly given so many intrusions have occurred through those channels; and that resources are provided to hospitals and health systems to implement such changes.

In some ways, cybercrime is like a chronic disease. It may not be curable, but it can be managed, and the risk of becoming “infected” can be reduced if all parts of the health care sector and the government share responsibility and each do their part to protect the health care infrastructure we all depend on to advance health in our nation.