US Cyberspace Solarium Commission report urges enhanced healthcare cybersecurity amid rising threats

A report by the U.S. Cyberspace Solarium Commission (CSC) 2.0 highlights a significant rise in cyberattacks targeting the healthcare and public health sector since the start of the COVID-19 pandemic. Ransomware attacks, in particular, pose a major threat by encrypting electronic patient records, databases, and equipment, leading to potential patient harm and even fatalities in preventable situations. The secure and uninterrupted delivery of healthcare services is crucial for both individual well-being and national security, underscoring the designation of the healthcare and public health sector as critical infrastructure by the federal government.

The government must collaborate with stakeholders in this sector to increase providers’ resiliency against cyberattacks, Annie Fixler and Michael Sugden wrote in their latest report titled ‘Healthcare Cybersecurity Needs a Check Up.’ The report also provided 13 recommendations directed at the executive branch, Congress, and the healthcare sector to guide the sector into a safer, more resilient future. Industry must invest more in cybersecurity, including properly resourcing security teams, implementing organization-wide cyber hygiene training, and developing contingency response plans for destructive cyberattacks. 

The executive branch must update its strategy for the sector, provide roadmaps to secure key lifesaving services, incorporate stakeholder feedback on cybersecurity goals, and address the rural cybersecurity workforce gap. Finally, Congress should fund relevant executive agencies and programs so they can better support the sector. These recommendations are not exhaustive but serve as a starting point to address the pervasive cybersecurity issues facing the sector. 

The Department of Health & Human Services (HHS) serves as the Sector Risk Management Agency (SRMA) for the healthcare and public health sector. The Division of Critical Infrastructure Protection (CIP) within the Administration for Strategic Preparedness and Response (ASPR) leads critical infrastructure protection efforts for HHS and carries out SRMA responsibilities.

“The healthcare and public health sector faced significant financial struggles long before the ransomware epidemic revealed its frailty. In one-third of healthcare facility chief financial officers said their hospitals were in worse condition than 10 years prior and half said their infrastructure was deteriorating faster than they could accrue the capital to improve it,” the CSC 2.0 report disclosed. “This deteriorating infrastructure compounds financial burdens. Waiting until aging systems fail before replacing them can cost significantly more than proactively replacing them.”

It also disclosed that the COVID-19 pandemic added to the financial burden costing hospitals an estimated billion in lost revenue alone, as budgets are so tight and providers focus spending on core

services providers have underinvested in cybersecurity rendering them vulnerable to attack. Additionally, stealing protected health information PHI (protected health information) can be lucrative, as a single medical record can fetch up to on the dark web. PHI commands a high price since it includes not just names, email addresses, and credit card numbers but also medical conditions, health history, and insurance information which criminals can use to commit fraud. 

“The main threat posed by ransomware is the significant delay in patient care that can arise due to system or device shutdowns,” the report revealed. “A survey of medical organizations affected by ransomware attacks revealed that 36 percent saw more complications in medical procedures and 22 percent saw increased mortality rates.” 

Moreover when ransomware shuts down medical systems and equipment patients may need to be rerouted to alternative facilities often farther away. Studies have suggested that even modest delays in emergency room admissions can increase patient mortality.

The report identified that ransomware can also cause cascading problems for an entire region. “Rerouting a large number of patients to other facilities may cause the receiving facilities to experience unexpected strains in bed capacity supplies and staffing. When multiple facilities face such strains an entire region can suffer adverse health outcomes. A study of medical facilities in Vermont showed that relative to their size, facilities in counties with hospitals hit by ransomware attacks experienced higher excess deaths than other counties,” it added.

Despite the severity of the problem, the CSC2.0 report said that healthcare providers are not investing enough in cybersecurity. Hiring and training adequate cybersecurity teams is expensive and difficult. Facing other financial constraints many providers forgo IT staff completely. To make matters worse many healthcare providers rely on legacy systems whose outdated software or hardware no longer receives security updates from the manufacturer.

In a 2021 survey, 73 percent of respondents reported using legacy operating systems. These outdated unpatched systems often have known and easily exploitable vulnerabilities. Maintaining legacy systems is costly in the long run but upgrading them often proves to be too expensive in the short run. 

Another major challenge is hyperconnectivity which increases vulnerability to cyberattacks. Hospitals have an immense convergence of information technology (IT) and operational technology (OT) systems across a plethora of devices. For example, a hospital will have hundreds of medical devices, numerous computers for reviewing and updating medical records, water treatment facilities, electric systems, and building management technology. Each of these systems requires its own patches and updates to keep it secure but many may be connected through a central network with little to no segmentation. This connectivity may improve efficiency and reduce cost but can present serious cybersecurity risks 

The industry-led Health Information Sharing and Analysis Center (H-ISAC) found that healthcare companies with more ‘connected medical devices experienced more cyberattacks.’ If hackers manage to exploit the vulnerabilities of one device they can gain access to any system on that unsegmented network. Hackers could hypothetically compromise a water purification system running unpatched software, navigate the unsegmented network, and access sensitive patient information.

The report identified that in March 2024, Congress appropriated FY 2024 funding for ASPR enabling it to dedicate more manpower to a greater scope and scale of cybersecurity incidents in the sector. “In March, ASPR requested an additional $5 million for CIP in its FY request anticipating the growing need to expand its SRMA workforce and capabilities. If funded by Congress this increase will begin to resolve some of ASPR’s historical under-resourcing.” 

With the exception of the CPG grant program which is still years away from implementation, successive administrations and Congresses have done little to directly address the cybersecurity needs of rural hospitals. 

In May 2023, however, a bipartisan group of senators introduced the Rural Hospital Cybersecurity Enhancement Act. The bill would have CISA develop a cybersecurity workforce development strategy for rural hospitals through collaboration with rural healthcare providers and relevant government agencies. The bill would also require CISA to make cybersecurity instruction materials available for rural hospitals to train staff on fundamental best practices, While the bill stalled in the Senate Committee on Homeland Security and Governmental Affairs its bipartisan support including from the committee’s chairman may provide it with a path forward in 2024. 

In its recommendations, the CSC 2.0 report identified that healthcare providers’ resiliency to cyberattacks is essential for the continuity of public health services The solution to current gaps is not reactive regulation that seeks cybersecurity through compliance Instead the sector needs a proactive collaborative approach This effort should prioritize the security and operational resilience of systems most directly connected to patient care and bolster the capabilities of under-resourced industry stakeholders. 

For the Executive branch, the CSC 2.0 report prescribes developing new long-term sector-specific cybersecurity objectives; working with industry to identify, prioritize, and secure life-saving services; iteratively updating HHS’s CPGs; accelerating the CPG compliance incentivization program’s timeline; creating a rural hospital cybersecurity workforce development strategy; and reassessing systemically important entities list.

For Congress, the report suggests ensuring SRMA resources and organizational structure are optimally efficient; increasing funding for HHS’s SRMA capabilities;  funding HHS’s CPG resourcing and incentive program; and directing and resourcing HHS to establish a rural vCISO pilot program. For Industry, it recommends spending more on cybersecurity; provides cyber hygiene training to all employees; and develops regional contingency plans for healthcare providers.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.