When hospitals are attacked, lives are threatened. This is the reality our entire field faces every day. But the never-ending barrage of ransomware and cyberattacks against the health care sector has only strengthened the resolve of hospitals and health systems to reinforce their defenses and protect safe access to care for patients and communities.

Since the first observance of National Cybersecurity Awareness Month 20 years ago, the scope, frequency and sophistication of cyber incursions into health care has increased steadily. Like a mutating virus, the tactics used by bad actors to steal information, delay and disrupt patient care, and shut down vital systems putting patient care and safety at risk continue to evolve.

Hospitals and health systems for years have prioritized cybersecurity, and the good news is their defenses block the majority of attacks. But no individual hospital can defend against all of these very sophisticated nation-state sponsored attacks. We need a whole-of-government approach to preventing and mitigating cyberattacks, including the federal government going after the bad guys just the way it has effectively done in counterterrorism.

The AHA has long been committed to doing everything possible to provide our members with the knowledge, tools and support to protect their ability to provide great care for the patients and communities they serve.

Information and Resources for Hospitals. The AHA has established strong relationships with federal law enforcement and national security agency partners so we can serve as a primary informational conduit providing the field with timely alerts and advisories that recommend steps hospitals and health systems can take to bolster their defenses, whether by an immediate software patch, creating a long-term incident response plan or other important actions.

While hospitals and health systems continue to prioritize cybersecurity, some organizations may lack sufficient resources to fully implement and maintain necessary and continually changing cybersecurity defenses. To assist hospitals and help fill the cybersecurity resource gap, the AHA led efforts with the White House and trusted cybersecurity providers, including those in the AHA’s Preferred Cybersecurity Provider program, to develop a package of free and heavily discounted offerings for AHA members. The AHA worked with Microsoft, Google, AON, Censinet, Critical Insight and Cylera to curate free and discounted services to hospitals across the country. Please view the AHA webpage for more details and specific offers.

A Whole-of-Nation Approach is Needed. It is clear that our cyber adversaries are intent on disrupting health care delivery on a systemic level. We must respond in kind. That’s why we continue to strongly urge our government partners to do more to disseminate threat intelligence, use all their capabilities — including military, intelligence and offensive cyber capabilities — to disrupt these actors before they attack, and prepare to assist when an attack does occur. A strong, swift and certain response from the federal government and allied nations to increase risk and consequences for cyber adversaries must be part of the solution.

Meanwhile, the Administration continues to discuss potential regulations aimed at strengthening cybersecurity. We are working to ensure that whatever approach is taken is consistent with the Department of Health and Human Services’ voluntary Cybersecurity Performance Goals that AHA helped develop and urge all hospitals to adopt; that any standards apply to third parties we interact with across the health care sector — particularly given so many intrusions have occurred through those channels; and that appropriate resources are provided to hospitals and health systems to implement such changes.

In addition, some proposals in Congress, including a bill introduced in the Senate last week, need further refinements. For example, levying significant financial and criminal penalties on hospitals or health systems that are victims of a cyberattack is misguided.

The bottom line: Ransomware and cyberattacks that threaten patient care are not going away. But they can be managed. And the risk of becoming “infected” can be reduced if all parts of the health care sector and the government share responsibility and each do their part to protect the health care infrastructure we all depend on to advance health in our nation.

Related News Articles

Headline
A United Nations Security Council meeting the week of Nov. 4 discussed ransomware and the severe impacts that cyberattacks can have on hospitals and health…
Headline
AHA President and CEO Rick Pollack was recently a guest on Pinkston's "To the Point" podcast to discuss the future of U.S. health care, touching on a range of…
Headline
The Cybersecurity and Infrastructure Security Agency, FBI and other federal agencies have created a webpage with the latest cyberthreat updates and information…
Headline
The Cybersecurity and Infrastructure Security Agency Oct. 31 issued an alert on a large-scale spear-phishing campaign targeting organizations in several…
Headline
The Health Sector Cybersecurity Coordination Center on Oct. 28 released a report on the "Miracle Exploit," a set of critical vulnerabilities affecting Oracle…
Headline
A new AHA Cyber Intel blog by John Riggi, AHA’s national advisor on cybersecurity and risk, examines current trends and challenges in health care regarding…