U.S. hospitals, following decades of chronic underfunding in their cybersecurity infrastructures and after two years of operating in a major pandemic, could be teetering on the edge of a major cyber threat stemming from Russia's unprovoked invasion of Ukraine, experts said last week at HIMSS.
Providers already had a tough time keeping up to speed with technological investments, even before COVID-19 forced them to funnel additional resources into patient care. Now, on the heels of that, this major international threat is creating "this perfect storm," Mac McMillan, CEO of IT consultancy CynergisTek, told Healthcare Dive.
The Biden administration warned about the potential for Russian cyberattacks in February, leading a major hospital lobby to urge facilities to shore up their cyber defenses. Cyberattacks are hazardous for any business but particularly disastrous for hospitals, as — on top of steep financial losses — they also contribute to loss of life.
"Anytime you have a downtime and it goes longer, the cost goes higher," Melissa Hall, chief information officer at regional Maryland system Calvert Health, said on a Wednesday panel.
Despite the elevated risk landscape, emergencies can be minimized if hospitals increase their investments in cybersecurity tools and staff and focus on perfecting the basics of threat prevention, experts said.
"Disasters can and should be prevented," Hector Rodriguez, a security and compliance specialist at Amazon Web Services, said Wednesday. "Healthcare needs to become more resilient."
'On high alert'
Healthcare was already behind other industries on cybersecurity, partially due to regulations requiring improvements in technology and cybersecurity kicking in more recently by comparison. Many hospitals and other medical companies are only now seeing security start to improve, experts said at HIMSS, though not enough dollars are flowing into cybersecurity to meet today's high levels of threat.
Hospitals only spend about 5% of their IT budgets on cybersecurity, despite more than four-fifths of facilities experiencing a significant security incident, according to a HIMSS cybersecurity survey from 2019. That year, fewer than half of healthcare organizations met national cybersecurity standards, even as cyberattacks became more complex.
"People don't spend money on this until it becomes real," McMillan said. "The biggest cost in all of this is going to be the damage."
COVID-19 has exacerbated that problem, as hospitals invested less in their IT infrastructures and reoriented resources to combat wave after wave of the virus.
The pandemic has also opened up new opportunities for infiltration, as the use of less-secure personal devices to conduct work tasks exploded, contributing to an increase in cyberattacks and data breaches.
Rampant turnover is also contributing to hospitals' IT weakness, as key staff that maintained these defensive tools and technologies left for other opportunities.
"They always were underfunded and didn't have the resources and now it's even more so," Joe Partlow, chief technology officer at cybersecurity company ReliaQuest, told Healthcare Dive. "The problem is obviously is if your core team with all that knowledge left, the new team coming in or lack of team coming in, really has to fill in the gaps."
Staff is a big challenge, said Tamra Durfee, virtual information security officer at health cybersecurity consultancy Fortified Health. "Having skilled resources, especially in healthcare — I'm really seeing hospitals struggling with that," Durfee told Healthcare Dive.
These stressors have coincided with hospitals shifting more and more of their data off premise to the cloud, something that saves money and allows for more data agency. It also makes them more vulnerable.
Knowing how to secure the cloud assets is new to a lot of provider teams, experts said, and the more externally facing tech hospitals have (including internet-connected medical devices with little-to-no cybersecurity features), the more open they are to attack.
"The attack surface for a hospital today is so broad, that any attack anywhere is potentially a risk," McMillan said. "Anything that's not on premises, is now at a bigger risk."
In addition, the landscape is always shifting, meaning — despite medical organizations' best efforts — it's impossible to be fully prepared. As they update their defenses, hackers are updating their attack modalities. Some are even starting to use artificial intelligence, and you can even buy ransomware starter kits on the dark web, Durfee said.
"I don't think any organization can ever say they're 100% prepared, because it's always changing," Durfee said, noting even among healthcare organizations laser-focused on cybersecurity, "I think it ranges from 50% to 75% prepared, but yeah. You can never be 100% prepared."
All in all, that's left the sector weak to threats, even as the threat of ransomware grew before the Russia-Ukraine situation brought cybersecurity to the fore of public consciousness.
"We're always on high alert," but things like COVID-19 and Russia create additional concerns, Roger Perkins, executive director of information technology at Wyoming hospital St. John's Health, told Healthcare Dive.
The American Hospital Association warned hospitals in February that they could be directly targeted by Russia, or be hit by malware or ransomware stemming from the conflict. The fear is that such attacks could disrupt hospitals from providing patient care.
The war is a huge potential threat — but, as far as we know, nothing's happened yet with regard to cyberattacks in this area.
"A lot of our customers are concerned if they're going to get targeted or not. We have not yet seen any targeted attacks against the customer," even those with operations in Ukraine, Partlow said.
"It's not a risk yet per se, but it's definitely a concern," said McMillan.
We're currently in a unique period where it's not to Russia's strategic advantage to lob cyberattacks against the U.S., for fear it could bring the nation — and its allies — into the war, according to the longtime security expert.
However, if Russian President Vladimir Putin becomes more desperate, or the U.S. does step into the fray for whatever reason, "all bets are off. And then it's a big risk," McMillan said. "I think if you're a hospital today, what you have to do, in my opinion, is assume that it could escalate."
It remains to be seen whether hospitals will be targeted. It's more likely a concentrated campaign of cyberattacks will be focused on U.S. infrastructure and supply chains, with the goal of disrupting internet, energy, fuel and communications — all things hospitals rely on in order to provide patient care, experts say.
"If I take your internet away, I've affected you. I've affected telehealth, I've affected remote users, I've affected third-party suppliers. So I can create a lot of havoc, a lot of chaos, a lot of disruption, and not ever attack a hospital directly," McMillan said.
In addition, the flurry of cyberattacks between Russia and Ukraine could result in a lot of new, more destructive types of cyber warfare. Bad actors could use these new techniques against organizations down the line.
"We're more concerned for sure with the tools that are being used between Russia and Ukraine — and obviously, there's a very mercenary, kind of underground hackers helping Ukraine and probably Russia as well — having those tactics and techniques get picked up by the greater kind of criminal element that really don't care. They're just going to use it later on for spreading their own ransomware," Partlow said.
Back to basics
To defend themselves in this high-risk atmosphere, hospitals need to focus on the basics of implementing a well-rounded security program, experts said.
"There's always a new threat coming out. Anytime a new threat comes out, it's really a lot of the same recommendations," Durfee said. "At the end of the day, there's going to be another threat in two months or six months. It's never going away."
One of the most important first steps is making sure IT executives have visibility into their environments and know what the risks to their business are. Cyber teams also need to focus on patch and vulnerability management, endpoint protection, and DevOps and application security.
"Kind of prepare for the normal stuff. Just make sure you're covered," Partlow said.
Particularly important is instituting multifactor authentication, wherein a user only gets access to a website or app after presenting multiple pieces of evidence of their identity. That needs to be instituted on all outward-facing applications, experts said.
"You want to trust nothing. And then you want to allow only the things that you know into your network. Trust nothing, deny everything and then you only approve what you know is a valid connection," Durfee said.
It's also key that hospitals retain and train their cybersecurity professionals, to ensure active monitoring of threats. If hospitals don't have the scale or resources to have an in-office cybersecurity team, they can turn to managed services, and contract with a third-party company to provide those resources and expertise.
"When you look at the number of health systems today that have active monitoring going on in their environment, even all those investments they've made in all those cyber technologies over the last decade is all for naught if somebody is not watching it," McMillan said.
And hospitals should also have plans in place in case the situation on the ground in Ukraine escalates.
Some attack vectors are specific to hackers from Russia and Ukraine, and concerned cybersecurity executives can focus on those specific vulnerabilities, like shoring up internet-facing parts of their organization, according to experts.
"For Russia and Ukraine, specifically, any external vulnerable points that you have, anything external-facing is vulnerable. And that's why multifactor authentication is really important, because IDs and passwords are so easy to crack nowadays," Durfee said.
Along with being able to limit outside traffic to a network, hospitals should also be prepared in case of supply chain shortages, internet outages or other infrastructure instabilities.
"Somebody in every institution, every business across the planet ought to be sitting there going, 'OK, if the worst comes to pass, and we end up in a major cyber war that is impacting our critical infrastructure, what do I need to do in order to ensure that I can continue to operate?'," McMillan said.