Washington — Cybersecurity issues were front and center during the American Hospital Association’s annual meeting this week.
Hospital leaders and industry experts at the trade group conference had one particular incident in mind: the February cyberattack against Change Healthcare.
The attack, perpetrated by Russian-linked ransomware group AlphV, also known as Blackcat, has caused widespread disruptions across the industry. Ransomware groups have published portions of what they say is stolen patient data and threatened to sell more unless Change pays a ransom.
Should the threats prove credible, the impact could be staggering, John Riggi, national advisor to the AHA on cybersecurity and risk, said during a conference panel on Sunday. Change is one of the nation’s largest insurance claims processing centers and touches one in every three patient records.
The Change attack comes as the frequency and scale of cyberattacks in the industry increases. Last year, a record 116 million patient records were compromised across 655 breaches, according to a report by cybersecurity firm Fortified Health Security.
While Change was the first sector-wide attack, it won’t be the last, Riggi warned. Executives, hospital boards and trustees need to better understand current cybersecurity risks and how to prepare their systems for the next attack like Change.
More sophisticated attacks, many from overseas
The majority of healthcare attacks aren’t coming from domestic hackers, experts stressed.
“Almost all cyberattacks against hospitals, including life-threatening ransomware attacks, originate from criminal gangs based in non-cooperative foreign jurisdictions,” AHA’s Riggi said. “That's a euphemism, folks, for Russia, China, North Korea and Iran.”
Last year, 75% of global cyber crime originated in Russia, said Anne Neuberger, deputy assistant to the president and deputy national security advisor for cyber and emerging technologies at the White House. She accused the Russian government of creating a “permissive” environment that allows cyber crime to flourish.
As a result, attacks against hospitals increased by 120% in 2023 compared to 2022. Impacted organizations paid $1.3 billion in ransoms last year, Neuberger said.
Escalating tensions between Russia and Ukraine, China and Taiwan, and Iran and Israel may seem far away. However, Riggi warned that state-sponsored cyber warfare could have ripple effects on American hospitals.
“Digital viruses are like biological viruses. Once they’re out in the wild, they could spread,” he said. He pointed to 2017, when Russia attacked Ukraine with a novel cyber strategy, which was later used to attack hospitals in Pennsylvania.
The rise in foreign attacks has been directly enabled by the rise of cryptocurrency, which allows organizations to pay hackers and collect ransoms anonymously and quickly, said Neuberger.
The Biden administration thinks cracking down on the flow of cryptocurrency is critical to deterring attacks, but enforcement has been logistically challenging.
It’s almost impossible to freeze cryptocurrency payments, according to Neuberger. Sanctioning crypocurrency mixer organizations — entities that accept crypto from multiple users and mix them so its impossible to discern who sent how much money — is like a game of Whack-a-Mole. The sanctions work for about six months to deter cyber crime, but then a new mixing organization pops up.
Hospitals must increase their data best practices
As cyber threats escalate, it’s not a matter of if, but when hospitals will be attacked, experts said at the conference.
Health systems must make sure their cybersecurity programs are adequately funded and prioritized, said Stephen Jones, president and CEO of Falls Church, Virginia-based Inova Health System.
Leadership conversations should include a full audit of health system data, said Riggi. Last year, only 8% of patient records were stolen from the electronic health record, according to the HHS. That solidifies electronic medical records are mostly secure, but it indicates hospitals have “medical information everywhere spread out, unmapped and available,” he said.
To tighten up security, data should be encrypted both at rest and in transit. Third-party vendors should also implement best data practices, experts said.
“I really want to emphasize how much of a risk third parties pose to our sector,” Riggi said.
Last year, the majority of the largest breaches stemmed from attacks on hospitals’ third-party business associates, according to HHS data presented by panelists. Given that, it’s imperative health systems “go a lot deeper into the due diligence [process] around these acquisitions,” Jones said.
Due diligence should include inquiring about data security processes, including those of third-party partners, he said. For example, many healthcare providers were impacted after an attack on file transfer platform MOVEIt.
AHA, White House spar over security requirements
Representatives from both the federal government and AHA agreed that data should be encrypted in transit and at rest.
However, the White House’s Neuberger and AHA’s Riggi disagreed over whether hospitals ought to be held responsible for meeting enforceable standards.
The AHA and Biden Administration previously partnered to draft voluntary cybersecurity standards for the industry, which were released in January. The recommendations included offering basic cybersecurity training for employees.
However, the White House has said it wants to put teeth behind those standards, which could include financial penalties if hospitals fail to comply.
“Every time we see [stolen records,] I think to myself why the heck wasn’t that data encrypted?” Neuberger said. “If it was encrypted, even if it's stolen, it can’t be used. And those are the kinds of minimum cybersecurity practices, which in 2024, every entity should be doing, and if not voluntarily, we will be mandating it.”
Riggi argued that the proposed standards only put requirements on hospitals and don’t address vulnerabilities that come from third-parties associates.
Neuberger pushed back, saying hospitals ultimately choose who to purchase technology from. She argued health systems could leverage “the power of procurement” to ensure business associates also complied with data security best practices.