Following action taken by the U.S. administration in the wake of rising ransomware and cybersecurity attacks in the critical infrastructure sector, groups from the healthcare sector urged President Joe Biden in a letter to strengthen the cybersecurity framework and resilience, in addition to increasing the funds available to the sector.
The Healthcare and Public Health Sector Coordinating Council (HSCC) pointed out in its letter that the recently enacted American Rescue Plan directs US$650 million to the Cybersecurity and Infrastructure Security Agency (CISA) for cybersecurity risk mitigation programs, but no amount has been set aside for the healthcare sector.
“In assessing how the American Rescue Plan, coupled with the recently released Executive Order on Improving the Nation’s Cybersecurity, can measurably strengthen the security and resiliency of the healthcare system and patient safety, we request an enhanced strategic planning process with the Administration that will complement the ongoing cybersecurity partnership between the HSCC, the Department of Health and Human Services and other essential government partners,” according to the HSCC letter.
The HSCC is a private sector-led critical infrastructure advisory council representing large, medium and small health industry stakeholders working with government partners to identify and mitigate threats and vulnerabilities affecting the ability of the sector to deliver healthcare services.
The letter pointed out that the healthcare sector, despite making progress over the past several years, has struggled to keep up with the onslaught of cyber threats without enhanced federal programs and engagement. “We are particularly concerned that lesser-resourced organizations, such as small and medium sized healthcare providers and critical access hospitals, continue to fall further behind. We are only as strong as the weakest link, and it benefits the entire sector when we can improve every entity’s cyber resilience,” it added.
“Cybersecurity incidents are a threat not only to national security, they also jeopardize patient safety, as attacks can cause a denial of service, medical device corruption, and data manipulation that directly impact clinical operations, patient care and public health,” the HSCC letter said. “In addition, healthcare data and information remain lucrative targets for theft and exploitation, particularly through ransomware attacks and COVID-themed social engineering by criminal groups and adversarial nation-states,” it added.
The HSCC also aligned with the aims of both the software and technology security recommendations of Section 4 of the Executive Order on Improving the Nation’s Cybersecurity and the HCIC Report. “We believe that an accompanying investment through the American Rescue Plan toward a structured healthcare cybersecurity partnership will amplify our efforts and help drive a culture of security and resiliency to a health sector that is otherwise stretched to its limits to meet its clinical and public health obligations,” it added.
HSCC has played a role in recognizing and addressing numerous weaknesses in the cybersecurity of healthcare systems, operations and supply chain, particularly through industry-developed best practices and guidance developed (some jointly with HHS and FDA) over the past three years. These include resources on medical device product security and management, industry/HHS-developed cybersecurity practices for health delivery organizations based on the NIST Cybersecurity Framework, cybersecurity management of healthcare supply chains, telehealth cybersecurity, and protection of innovation capital, such as vaccine research against cyber theft.
The healthcare sector faces relentless cybersecurity threats that have grown in magnitude and complexity year after year. The COVID-19 pandemic led to the rapid adoption of digital technologies and increased connectivity exacerbating the threat landscape. “The security risk and potential impacts for both ICS and healthcare is often far worse than for typical business IT networks. Unfortunately, ICS is a component of the healthcare environments that is frequently overlooked,” Dreamlab Technologies pointed out in a recent blog post.
Digital identity company Forgerock recently released data showing that healthcare was the most targeted sector, accounting for 34 percent of all breaches. The sector also had the highest average cost per compromised record at $474. “Healthcare is an attractive target because its data is extremely valuable to cybercriminals. Stolen healthcare records can be used to perpetrate medical identity theft, insurance fraud, and other crimes,” according to data released by the ‘2021 ForgeRock Consumer Identity Breach Report.’
The report also identified that the healthcare sector was particularly vulnerable to ransomware attacks due to the COVID-19 pandemic. “Cybercriminals exploited healthcare organizations, knowing many would rather pay a ransom than put patients at risk with a disruption of service,” the report added.
“Healthcare organizations have become a desirable target of cybercriminals because of the vast amount of high-value information they possess—protected health information (PHI), personally identifying information (PII) such as Social Security numbers, and intellectual property related to medical research and innovation,” Justin Vierra, Accenture‘s critical infrastructure security senior manager, wrote in a company blog post.
“In fact, stolen health records are worth between 10 and 40 times more than credit card numbers on the dark web. Unfortunately for healthcare organizations, the financial implications of a data breach are now higher than any other industry—2020 figures show an average price tag of $7.13 million per breach,” Vierra added.
The Federal Bureau of Investigation (FBI) recently identified at least 16 Conti ransomware attacks over the last year, targeting US healthcare and first responder networks, including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities. The Conti ransomware has the ability to steal victims’ files and encrypts the servers and workstations in an effort to force a ransom payment from the victim.