A month after Russia invaded Ukraine, President Joe Biden issued a statement warning that Russia-sponsored hackers might attack U.S. infrastructure in retaliation for its support of Ukraine.
In response to these warnings, the healthcare industry has scrambled to ramp up cybersecurity investment and preparation. However, according to Virginia Greiman, an assistant professor of administrative sciences at Boston University, there’s still more to do. “We haven’t yet reached the point where we’re ready for a full-blown crisis like taking a whole hospital network offline,” she says.
A May 2022 ThoughtLab survey, “Cybersecurity Solutions for a Riskier World,” sponsored by 11 IT and cybersecurity companies including ServiceNow, backs this up. More than a third of healthcare executives say their organizations are “not prepared” for such threats.
In March, the Healthcare Cybersecurity Act was introduced in the U.S. Senate. If passed by Congress and signed into law, it will order the Cybersecurity and Infrastructure Security Agency (CISA) to work with private-sector healthcare officials and the Department of Health and Human Services to better share information, train personnel, and secure medical devices and electronic health records.
When state-sponsored hackers target hospitals they typically have two goals, says Mike Luessi, general manager of ServiceNow’s global healthcare and life sciences industry business. The first is to sow chaos by taking control of critical patient records. As an example, when British National Health Service hospitals were impacted by the 2017 WannaCry attack, medical teams had to suddenly delay vital surgeries and divert patients to other nearby hospitals. Global intelligence agencies have concluded that North Korea was behind this attack.
The second goal is to disrupt technologies that increasingly deliver direct patient care, such as net-connected pacemakers and implants that fight diseases such as Parksinon’s. Other systems that have been compromised in attacks include blood-product refrigerators and automated drug dispensers, as well as critical systems like hospital heating and air conditioning systems, according to a 2020 analysis by the Geneva Health Forum.
Russia-sponsored hackers are carrying out both, says Luessi. “These are opportunities to hurt a country financially or by causing harm to its people,” he says. “Russian attackers know that delivery of healthcare is an important part of our infrastructure and they want to destabilize that.”
Medical device challenge
The healthcare industry is especially vulnerable to cyberattacks due in part to the increased use of in-home and in-body technologies. Connected activities such as video medical appointments, smartphone apps that monitor vital signs of patients, and medical equipment like pulse oximeters and implanted devices like blood-glucose monitors combine to create an enlarged attack surface.
When healthcare took place under a single roof, it was easier for IT teams to manage devices on their internal network. Whenever a new device was introduced, such as a Wi-Fi–enabled coffee maker or an MRI machine, IT could easily monitor and add it to a white list of approved devices. They could then track the device and apply software patches when necessary to protect the larger healthcare facility from vulnerabilities.
With the explosion of IoT devices across hospitals, clinics, and patients’ homes and bodies, such asset management has become much more complicated. Moreover, physicians themselves are often in charge of budgeting decisions, leaving security and IT teams to explain to nontechnical bosses why additional cybersecurity resources are needed, says Luessi.
Security by design
With the uptick in Russia-led cyberattacks against all types of non-military targets, business executives have to start thinking like military commanders, says Larry Clinton, president of the Internet Security Alliance. “Critical infrastructure is now taking on national security responsibilities,” he says. “Ordinary [businesses] have to be prepared to repel attacks from nation-states. That wasn’t true until recently.”
To address this new reality, a number of healthcare providers are becoming proactive in their preparation for future attacks. For example, Hospital Corporation of America (HCA) and Kaiser Permanente take an always-on approach to cybersecurity, says M. Eric Johnson, a professor of business strategy at Vanderbilt University. Kaiser prioritizes asset management, rigorously keeping track of who has access to sensitive information and vigorously protecting system administrators’ credentials to make sure unauthorized employees can’t slip through a firewall unnoticed. “HCA approaches cybersecurity like a Fortune 500 company, with a full-time CISO and continuous monitoring for threats,” says Johnson.
Regardless of size, all healthcare providers must proactively defend themselves against attacks as the number and seriousness of threats is growing and becoming more serious. “At some point, a nation-state sponsored attack will succeed and take many lives,” warns Greiman. “We should not wait until then to make changes.”