HHS unveils Cybersecurity Resiliency Landscape Analysis, as cyber attacks become more sophisticated
The U.S. Department of Health and Human Services (HHS) 405(d) Program conducted a Hospital Resiliency Landscape Analysis that reviewed active threats attacking hospitals and the cybersecurity capabilities of hospitals. The document provides a benchmark of best practices and opportunities for improvement in hospital cyber resiliency, in addition to assessing hospitals’ current cybersecurity capabilities and readiness and may inform future federal policy decisions on how to improve their resiliency.
The document, titled, ‘Hospital Cyber Resiliency Initiative: Landscape Analysis,’ highlights findings and issues affecting the cybersecurity resiliency of U.S. hospitals. The two objectives of the study were to develop a clear understanding of the current cybersecurity capabilities and preparedness across participating U.S. hospitals, as well as their ability to combat cyber threats.
Additionally, the study also seeks to share the analysis and findings with the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) for consideration as one of several inputs for informing prioritized cybersecurity practices for U.S. hospitals, as well as other considerations the federal government might undertake to improve hospitals’ cybersecurity resilience.
The latest HHS document joins the Health Industry Cybersecurity Practices (HICP) document, released earlier this week, which came in three parts – Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (main document); Technical Volume 1 covering cybersecurity practices for small healthcare organizations; and Technical Volume 2 covering cybersecurity practices for medium and large healthcare organizations. Closely aligned to the NIST Cybersecurity Framework, the document aims to raise awareness, provide vetted cybersecurity practices, and move towards consistency in mitigating the current most pertinent cybersecurity threats to the sector.
The latest study was accomplished by evaluating the current cyber threats faced by hospitals and the healthcare and public health (HPH) sector, as well as conducting an analysis of hospital cybersecurity capabilities and resources benchmarked against the HICP publication. To achieve these objectives, the analysis utilized multiple sources of data in three categories, including threat data from private and public partners to compare U.S. hospital systems’ cybersecurity capabilities against the most prevalent methods cyber adversaries use to break in and cause disruptive attacks. The data for this study were chosen due to the breadth and depth of coverage of cyber practices, and specifically their connection to both the NIST CSF and HICP.
The two primary quantitative studies are CHIME Most Wired Survey, sponsored by First Health Advisory, completed in 2022, and Censinet/AHA/KLAS study with normalized data collected by hospitals from 2021, completed in March this year. The two study instruments allowed for comparative analysis across these factors. Additional analyses were conducted on data collected through the HSCC JCWG. The agency also conducted 20 conversations with geographically and demographically diverse hospitals.
The Cybersecurity Resiliency Landscape Analysis disclosed key observations from the two quantitative studies combined with participating hospital conversations. These included that directly targeted ransomware attacks aimed to disrupt clinical operations are an outsized and growing cyber threat to hospitals. It also identified variable adoption of critical security features and processes, coupled with a continually evolving threat landscape can expose hospitals to more cyber-attacks, while hospitals report measurable success in implementing email protections, which is a key attack vector.
The document also found that supply chain risk is pervasive for hospitals and that medical devices have not typically been exploited to disrupt clinical operations in hospitals. It also identified significant variations in cybersecurity resiliency among hospitals. Another disclosure was that the use of antiquated hardware, systems, and software by hospitals is concerning. 96 percent of small, medium, and large-sized hospitals claim they were operating with end-of-life operating systems or software with known vulnerabilities, which is inclusive of medical devices.
The analysis also disclosed that cybersecurity insurance premiums continue to rise. On average, cybersecurity premiums increased by 46 percent in 2021. Five of 56 hospitals surveyed in 2022 experienced increases of more than 100 percent, whereas 32 experienced increases just below 35 percent. Another highlight was that securing cyber talent with requisite skills and experience is challenging. It also disclosed that adopting HICP improves cyber resiliency.
The Cybersecurity Resiliency Landscape Analysis said that ransomware attacks in the HPH sector are also evolving; adversaries are using a combination of extortion tactics to fulfill their objectives. “Typically, adversaries will take the path of least resistance in the furtherance of the damage they aim to cause. They will look to apply their resources in the cheapest and easiest method possible. This could occur from vectors external to the hospital (e.g., the internet) or from inside the hospital (e.g., connections to third-party suppliers),” it added.
Adversaries may choose to elevate their attack when ransom demands are not met by either conducting a DDoS attack against the victim, demanding ransoms from those most affected by the release of sensitive information (patients, hospital affiliates, etc.), or both. In fact, in recent months, the number of DDoS attacks on the healthcare sector has grown.
Data suggests there is general alignment on the need to address these disruptive attacks. The 2023 Annual H-ISAC Threat Report stated that 288 healthcare CISOs listed ransomware as their biggest cybersecurity concern. This finding is also supported by hospital conversations as part of the Landscape Analysis. Data provided by joint cyber advisories from the FBI, CISA, NSA, and HC3, suggests that the criminals conducting these attacks tend to be organized crime, and largely based in, but not limited to, Eastern European countries. Threat actor groups are growing across Eastern Asia and Middle East countries as well.
The analysis also disclosed that most threat actors in the healthcare sector do not have direct intent to inflict harm on individuals but the aftermath of their actions can result in collateral damage. “Adversaries are improving their capabilities through multiple methods across all sectors, including healthcare. Their attacks are coming in with high velocity, higher quality, and more efficacy. In other words, attacks are faster, smarter, and more organized.”
The Landscape Analysis also aims to determine the current state of cybersecurity capabilities and performance of participating U.S. hospital systems. Evaluation of capabilities included mapping them back to the adversaries’ methods of attack. This linkage is important, as it could help hospitals prioritize the NIST CSF and HICP, and maps to CISA’s Common Performance Goals (CPGs). Additionally, HICP directly correlates to the threats outlined in this analysis, such as ransomware.
Commenting on the Cybersecurity Resiliency Landscape Analysis, John Riggi, national advisor for cybersecurity and risk at American Hospital Association (AHA) said that as high-impact ransomware attacks targeting U.S. hospitals have increased in frequency and severity, often resulting in the disruption and delay of health care delivery, “the federal government has prioritized taking proactive measures to improve our capability to defend against and recover from these attacks.”
“While we agree that U.S. hospitals must do what they reasonably and financially can on cyber defense, we also agree with the recently released White House cyber strategy, which places assistance to victim organizations at the center of the government strategy and emphasizes the need for greater offensive action by the government,” according to Riggi. “It is clear that a combined and coordinated policy of defensive measures by the field accompanied by offensive action by the government is necessary to reduce cyber risk in a significant and sustainable manner. We look forward to continuing to work with the government and sector partners to help inform this process and shared responsibility to defend the nation’s hospitals and our patients against cyberattacks.”
Last month, the HHS’ Food and Drug Administration (FDA) agency published final guidance establishing new cybersecurity requirements for cyber devices, which includes information that a sponsor of a premarket submission for a cyber device must provide in its submission. The document also requires healthcare stakeholders to bring into their infrastructure cybersecurity provisions that cover software bill of materials (SBOM) and vulnerability disclosure reporting.
Related
