Growing need to address cybersecurity challenges across US healthcare sector for improved resilience

The U.S. healthcare sector continues to grapple with cybersecurity challenges, risking patient data and infrastructure. Issues include outdated systems, limited funding for security, and a shortage of skilled staff. Cyber threats like ransomware and breaches pose significant risks, impacting patient information and healthcare services.

The Department of Health and Human Services (HHS) addresses these challenges with resources like the Health Industry Cybersecurity Practices (HICP) and Healthcare Sector Cybersecurity Coordination Center (HC3) guidance. Despite these efforts, healthcare organizations must enhance security defenses through measures like security assessments, network segmentation, and employee training. Investing in technologies like AI and machine learning aids in real-time threat detection and response.

Collaboration and information-sharing among stakeholders across the healthcare sector are crucial for boosting cybersecurity resilience. Partnerships with government agencies, industry groups, and cybersecurity experts help organizations stay informed about threats and best practices. By taking a proactive stance and implementing strong security measures, healthcare entities can improve their cybersecurity posture and ensure the continuity of safe healthcare services amidst evolving threats.

Addressing key challenges and risks in healthcare sector

Industrial Cyber consulted cybersecurity healthcare experts to explore the key challenges encountered by asset owners and operators in the U.S. healthcare sector, focusing on infrastructure, technology, and regulatory compliance. They also delved into the potential impact of emerging technologies like AI, blockchain, and IoT within the healthcare sector, along with an examination of their inherent cybersecurity risks.

Healthcare is large, complex, inter-connected, and highly regulated, Denise Anderson, president and CEO of the Health Information Sharing and Analysis Center (Health-ISAC), told Industrial Cyber. “The sector uses myriad devices and endpoints, resulting in a massive attack surface. The Health sector contributes to almost 20% of US GDP and according to the US Census Bureau, is the largest employer In the country. It is also highly targeted by threat actor groups. The Institute for Security and Technology reported at least 299 hospitals suffered ransomware attacks in 2023,” she added.

She added that the Health-ISAC surveyed 400 executives in the health sector and the top five concerns for 2024 were ranked as follows:

1. Phishing/Spear Phishing Attacks
2. Ransomware Deployments
3. Data Breaches
4. Third Party/Partner Breaches
5. Social Engineering

When it comes to medical devices (IoT), Anderson pointed out that the top three concerns were meeting regulatory requirements; providing regular and secure updating and patching; and integrating security into the design and development process. “While AI will certainly add to the threat surface because it will allow threat actors to be more sophisticated, it will also aid defenders by helping to identify and protect against attacks,” she added.

“The primary challenge comes down to funding,” Wes Wright, chief healthcare officer at Ordr, told Industrial Cyber. “There are always better technologies to invest in, infrastructure improvements to be made, cybersecurity protections to implement, and regulations that need to be complied with. The difficulty for so many in healthcare is procuring enough funding to support each need.”

Wright noted that emerging technologies can help across the board. “Anything that can make employees more efficient and effective without increasing costs is a win in a cash-strapped industry like healthcare. That said, there are always cybersecurity risks when any new technology – software or hardware – is introduced. Ensuring security must go hand-in-hand with adoption and implementation.”

Chad Holmes, security evangelist at Cynerio, told Industrial Cyber that healthcare continues to be the most attacked industry in the U.S. due to a combination of highly valuable patient records (ePHI), technical cybersecurity debt that is approximately ten years behind other industries, limited expertise, and budgetary constraints that hamper the best efforts to adopt modern protections.

“These challenges lead to a frustrating landscape where adoption of advanced technologies created for other industries routinely underperform in healthcare environments due to a lack of expertise, funding, and support,” according to Holmes. “Further complicating these challenges is the evolving discussion around regulatory requirements, where certain parts of the hospital must invest heavily in meeting and proving compliance while others, including cyber protections, have almost no oversight, guidance or funding to properly inform facilities.” 

Holmes added that the most likely end goal is a combination of consolidated protections built specifically for the unique needs of healthcare facilities combined with a reasonable balance of regulatory guidance, training, and funding to ensure those protections are properly deployed.

He added that fortunately, new technologies are emerging that may reduce the costs related to protecting patients and facilities. “Generative AI for example is being used by many startups, including Cynerio, to improve the speed and accuracy of analyzing network traffic to detect and respond to active attacks. The initial results are overwhelmingly positive, with attacks that traditionally take 6-9 months for recovery instead being identified, quarantined, and remediated within a matter of hours.”

Growing need to heighten cybersecurity measures 

The experts analyze the healthcare sector’s response to evolving cybersecurity threats, pinpointing key areas requiring increased focus to bolster cybersecurity readiness. They evaluate recent cyberattacks and data breaches in the healthcare industry, emphasizing the imperative for heightened cybersecurity measures. Furthermore, they delve into the lessons that can be learned from these incidents.

Anderson said that the health sector has come a long way. “Ten years ago, the primary concern was around data privacy; today the threats have evolved into operational and patient safety threats.”

She added that the sector has been forward-leaning when it comes to responsible disclosure around vulnerabilities and developing Software Bill of Materials (SBOM). “Industry, in coordination with HHS, has created frameworks such as Voluntary Cybersecurity Practices and has been sharing earnestly around threats and mitigations,” she added.

However, Anderson points out that there are organizations that don’t prioritize cybersecurity when it comes to spending. “It is better to invest several million on a cybersecurity program up front, versus pay tens of millions after an attack, but that takes commitment from the very top of the organization, which in cash-strapped institutions, is lacking,” she added.

Wright outlines that the biggest unaddressed issue in healthcare cybersecurity is the massive increase in connected assets within an organization. “From medical equipment to personal devices, the attack surface grows each time something new connects to the network.” 

He added that it is nearly impossible for understaffed and overworked hospital IT teams to have full visibility into everything connecting to their network 100% of the time, which means that the opportunity for a breach is high. Tools or solutions that can automatically provide asset visibility and identify risks beyond what a human could do make it possible to protect the organization.

Wright also mentioned that recent attacks in the healthcare sector show just how important cybersecurity is, as many hospitals have had to shut down operations in response and move critical patients elsewhere. “That is not an acceptable – or sustainable – response industry-wide. That is the lesson we must all learn.”

He also pointed out that most of the attacks on healthcare take advantage of an unpatched vulnerability. “Asset visibility and security tools that can prioritize vulnerabilities based on the risk, identify threats already in the network, or pinpoint anomalous behavior are crucial. More importantly, segmenting parts of the network to prevent lateral movement – even if you’ve been compromised – is a good best practice.”

Holmes pointed out that the ongoing attacks on the healthcare sector unfortunately highlight the lagging efforts to adopt new protections. “In 2023, nearly 120 million patient records were exposed in the US due to IT or hacking incidents – that’s approximately 1 in 3 patients in the US. Numerous ransomware attacks have shut down hospitals and led to ransom payments routinely in the 7 figures. One recent report notes the number of public ransomware incidents at nearly 50 with nearly $500M in ransoms paid in the first half of the year, but those numbers are likely much higher due to a lack of reporting requirements.”

He added that fortunately, hospitals have recently received updated guidance on how to best protect their environments.

Exploring impact of HHS measures on healthcare organizations

The executives discuss the impact of recent HHS documents, including cybersecurity best practices guidance and regulations, on the operational and decision-making processes of healthcare organizations. Drawing from their experience, they explore the clarity and ease of implementation of these documents for asset owners and operators throughout the healthcare sector.

Anderson said that while frameworks and regulatory actions can be useful, the trend towards mandatory reporting, especially within immediate timeframes, may actually be detrimental by taking resources away from response and recovery and turning them towards compliance.

“Government agencies have done an excellent job listening to cybersecurity leaders and then using those insights to provide guidance and craft regulations that prioritize cybersecurity protections,” according to Wright. “These efforts will pay off by making cybersecurity protections weigh more heavily in the strategy and funding decisions of organizations across the industry. Whether they can fund the needed improvements or not is another story.”

Holmes said that there will always be room for improvement in cybersecurity guidance, but the recently released HPH Cybersecurity Performance Goals (CPG) show that complex practices can be introduced in a simple, consumable, and achievable way. “This new guidance provides sets of Essential and Enhanced Goals that hospitals should be adopting, ranging from basic email security and encryption in the essential goals to more advanced asset inventory, network segmentation, and cybersecurity testing practices in the Enhanced Goals.” 

He added that while not perfect, “these goals and associated resources provide an impressive improvement over prior guidance. These goals also help identify the benefits healthcare-focused cybersecurity organizations provide in seamlessly rolling out technologies that address all 10 of the enhanced goals.”

Additionally, Holmes said that resources like CISA’s StopRansomware efforts continue to improve on guidance that will require a combination of public and private cooperation to properly implement.

Assessing financial fallout of breaches 

The executives delved into the financial ramifications of cybersecurity breaches on healthcare organizations, exploring their effects on patient care, trust, and the industry’s overall stability. They also examined how regulatory frameworks and compliance requirements shape the prioritization and allocation of resources for cybersecurity initiatives within healthcare organizations.

For reference, Anderson said that Scripps Health’s ransomware attack cost almost $113 million and the University of Vermont Health Network stated it lost $65 million in its 2021 attack.

She added that the Change Healthcare ransomware attack perfectly demonstrates the urgency for improved cybersecurity measures, enormous financial consequences, and systemic stability. The attack, which began February 21st is still ongoing and is having tremendous impacts on patients and companies. Some health networks are losing billions of dollars per day. 

“At the sector level, we need to have a coordinated response, which entails not just the technical response, but government helping with waiving certain restrictions and providing financial relief temporarily until the system can recover,” Anderson highlighted. “This is why having plans and exercising those plans like we do at Health-ISAC with our partners annually with the Hobby Exercise is vital. Response should be planned and committed to muscle memory.”

Wright noted that cybersecurity breaches have far-reaching implications and have the potential to be catastrophic to affected organizations–and their patients. “We’ve already seen far too many examples of hospitals having to close and divert patients to other locations because of a cyberattack.” 

“When patient care is impacted, trust in a certain location or healthcare organization’s ability to provide needed care can be difficult to regain,” he added. “That compounds the funding problem because time and money spent mitigating the effects of a cyberattack is time and money not being used to bolster cyber defenses. A loss of public trust can result in further revenue losses if patient referrals decline; from there, things can quickly snowball.” 

He added that there are already questions about how to restore stability in the face of the current ransomware plague spreading across the industry. “New regulations can compel healthcare organizations to spend on security improvements, but money will always be an issue in this industry. Unfortunately, there are always needs that will get preference for funding because, in too many cases, cyberattacks are a theoretical problem–until they aren’t.”

Holmes identified that in terms of finances, there tend to be two well-known attack types to pull from with clear financial consequences – data breaches and ransomware.

“These must be reported to HHS and occasionally result in fines of up to $2M,” Holmes said. “The real damage is within the community though, where doubt and distrust are frequently the first response to a breach notification. Additional direct costs for hospitals include system updates and monitoring for exposed parties.”

He pointed out that the associated costs for ransomware are much larger, but also underreported due to a lack of regulation. “A recent survey conducted by the Ponemon Institute and Cynerio estimates that 47% of hospitals pay the ransom during an attack with the most common (32%) range of payment being $250k-$500k. Other studies vary slightly, but all attribute ransom payments measured at that point or higher. For those that don’t pay the ransom, the payments are even higher – frequently in the $50M – $100M range due to a combination of costs including system recovery, lost revenue, downtime, and lawsuits.” 

Some examples include Scripps (~$120M in recovery costs), University of Vermont Medical ($60M), and Common Spirit ($150M), with many more having not disclosed the costs, Holmes added.

“The largest impact though is to care and the collateral damage caused by cyber-attacks,” according to Holmes. “Take, for example, St. Margaret’s Health in Illinois which had to shut its doors in part due to the financial fallout from a cyberattack. Closure of hospitals combined with known impacts in the form of collateral damage (including increases in patient mortality, deferments, and complications) are having the most direct, but mostly uncovered, impact on patients.”