Strengthening Cybersecurity to Protect Patients and Access to Care

Oct 04, 2024 - 10:16 AM by
Rick Pollack, President and CEO, AHA
Rick Pollack Perspective 900x400 12-2023

When hospitals are attacked, lives are threatened. This is the reality our entire field faces every day. But the never-ending barrage of ransomware and cyberattacks against the health care sector has only strengthened the resolve of hospitals and health systems to reinforce their defenses and protect safe access to care for patients and communities.

Since the first observance of National Cybersecurity Awareness Month 20 years ago, the scope, frequency and sophistication of cyber incursions into health care has increased steadily. Like a mutating virus, the tactics used by bad actors to steal information, delay and disrupt patient care, and shut down vital systems putting patient care and safety at risk continue to evolve.

Hospitals and health systems for years have prioritized cybersecurity, and the good news is their defenses block the majority of attacks. But no individual hospital can defend against all of these very sophisticated nation-state sponsored attacks. We need a whole-of-government approach to preventing and mitigating cyberattacks, including the federal government going after the bad guys just the way it has effectively done in counterterrorism.

The AHA has long been committed to doing everything possible to provide our members with the knowledge, tools and support to protect their ability to provide great care for the patients and communities they serve.

Information and Resources for Hospitals. The AHA has established strong relationships with federal law enforcement and national security agency partners so we can serve as a primary informational conduit providing the field with timely alerts and advisories that recommend steps hospitals and health systems can take to bolster their defenses, whether by an immediate software patch, creating a long-term incident response plan or other important actions.

While hospitals and health systems continue to prioritize cybersecurity, some organizations may lack sufficient resources to fully implement and maintain necessary and continually changing cybersecurity defenses. To assist hospitals and help fill the cybersecurity resource gap, the AHA led efforts with the White House and trusted cybersecurity providers, including those in the AHA’s Preferred Cybersecurity Provider program, to develop a package of free and heavily discounted offerings for AHA members. The AHA worked with Microsoft, Google, AON, Censinet, Critical Insight and Cylera to curate free and discounted services to hospitals across the country. Please view the AHA webpage for more details and specific offers.

A Whole-of-Nation Approach is Needed. It is clear that our cyber adversaries are intent on disrupting health care delivery on a systemic level. We must respond in kind. That’s why we continue to strongly urge our government partners to do more to disseminate threat intelligence, use all their capabilities — including military, intelligence and offensive cyber capabilities — to disrupt these actors before they attack, and prepare to assist when an attack does occur. A strong, swift and certain response from the federal government and allied nations to increase risk and consequences for cyber adversaries must be part of the solution.

Meanwhile, the Administration continues to discuss potential regulations aimed at strengthening cybersecurity. We are working to ensure that whatever approach is taken is consistent with the Department of Health and Human Services’ voluntary Cybersecurity Performance Goals that AHA helped develop and urge all hospitals to adopt; that any standards apply to third parties we interact with across the health care sector — particularly given so many intrusions have occurred through those channels; and that appropriate resources are provided to hospitals and health systems to implement such changes.

In addition, some proposals in Congress, including a bill introduced in the Senate last week, need further refinements. For example, levying significant financial and criminal penalties on hospitals or health systems that are victims of a cyberattack is misguided.

The bottom line: Ransomware and cyberattacks that threaten patient care are not going away. But they can be managed. And the risk of becoming “infected” can be reduced if all parts of the health care sector and the government share responsibility and each do their part to protect the health care infrastructure we all depend on to advance health in our nation.

Related News Articles

Headline
Agencies issue advisory on China-linked cyber actors using botnet for attacks on U.S. networks 
The FBI, National Security Agency and Cyber National Mission Force last week issued a joint advisory about recent actions of China-linked cyber actors…
Headline
Veeam Software issues patches for exploitable security flaws
The Health Information Sharing and Analysis Center last week announced that Veeam, a software company that provides data protection, backup and disaster…
Headline
CISA releases guidance on best practices for event logging and cyberthreat detection 
The Cybersecurity and Infrastructure Security Agency Aug. 21 published guidance providing best practices for event logging to mitigate cyberthreats. The…
Headline
New AHA resources for managing public health emergencies
The AHA has released five new tip sheets designed to fortify crisis leadership competencies during emergency events such as cyberattacks, natural disasters and…
Headline
Agencies alert health sector of Iranian and Russian cyber threats
The FBI, Cybersecurity and Infrastructure Agency and the Department of Defense Cyber Crime Center Aug. 29 issued a joint advisory to warn of Iranian-based…
Headline
AHA Podcast: Start with Defense — Building a Cyber-ready Team 
Health care is under constant cyberattack threat, but how prepared is the industry to fight back? The lack of resources is especially acute in rural areas. In…