Hospitals better prepared, but still have gaps
Like Mr. Riggi, Mr. McMillan said that the healthcare industry is better prepared for cyberattacks now than it was in 2017, when the NotPetya assault on Ukraine’s online infrastructure created considerable collateral damage in the United States. However, he said, hospitals still have a long way to go before they can counter and/or recover from a dedicated Russian government cyberattack.
The NotPetya malware, Mr. Riggi said, was of the destructive variety. “That digital virus spread uncontrollably across the globe like a biological virus. All the organizations and institutions that had contact with Ukraine became infected.”
According to an indictment of six GRU officers that the Department of Justice announced in December 2020, NotPetya disrupted operations at a major pharmaceutical company, subsequently revealed to be Merck, and hospitals and other medical facilities in the Heritage Valley Health System in Pennsylvania. In addition, it temporarily shut down the transcription services of Nuance Communications, which lost $98 million as a result. Merck received $1.4 billion from an insurer to cover its NotPetya loss, Bloomberg reported.
That incident prompted the AHA to urge hospitals to use “geo-fencing” to block online communications with Ukraine and neighboring countries. However, Mr. Riggi said, that solution is not too effective because hackers commonly use proxy servers in other countries to forward their malware to the intended target.
The AHA alert included a list of actions that hospitals and health systems could take to reduce their vulnerability to Russian hacking. Besides geo-fencing, the AHA suggested that hospitals:
- Heighten staff awareness of the increased risk of receiving malware-laden phishing emails;
- Identify all international and third-party mission-critical, clinical, and operational services and technology and put in place business continuity plans and downtime procedures;
- Check the redundancy, resiliency, and security of the organization’s network and data backups;
- Document, update, and practice the organization’s incident response plan.
Hospitals increasingly targeted
In recent years, Mr. Riggi noted, hospitals have invested much more in cybersecurity than before, and hospital executives have told him that this is now one of their top priorities, along with COVID-19 and workforce issues. This has been not only because of NotPetya, but also because healthcare facilities are being increasingly attacked by foreign ransomware gangs, he says.
The hospitals’ biggest vulnerabilities, he said, are phishing emails, remote desktop access, and unpatched vulnerabilities, in that order. It’s not easy to remedy the latter, he observed, because hospital networks can include up to 100,000 connected medical devices and other computers that can access the network, both within and outside the hospital.
“With the new work-at-home environment, you may have thousands of employees who are using the network outside the traditional perimeter of the organization,” he pointed out. “There’s no longer that standard firewall that protects everything.” In addition, he said, hospitals also have to depend on vendors to develop patches and implement them.
In Mr. McMillan’s view, the healthcare industry is a decade behind the financial industry and other sectors in cybersecurity. Among other things, he says, “half of our hospitals still don’t have active monitoring on their networks. They don’t have privileged access on their networks. A bunch don’t have segmentation or endpoint protection. There are so many things that hospitals don’t have that they need to fend off these attacks — they’re better off than they were in 2017, but they still aren’t where they need to be.”