BOSTON – John Riggi, national advisor on cybersecurity and risk for the American Hospital Association, kicked off the 2023 HIMSS Healthcare Cybersecurity Forum here Thursday with a data-rich and provocative discussion that focused largely on the need for local and regional planning for healthcare cyberattacks .
Before the conference, Riggi said he was increasingly concerned about a “dramatic increase” in large-scale ransomware attacks on hospitals and healthcare systems that are crippling hospital computer networks and denying doctors access to much-needed patient information.
In his keynote, Riggi discussed risk anticipation, identification, avoidance, confrontation and recovery – skills he said he has practiced since growing up in nearby Lynn, Massachusetts, and carried with him into a long career with the FBI and the CIA, and which he now takes to the AHA.
He described the scope of the current threat landscape – with bad actors stealing data and causing massive disruptions to patient care, and the intensification of ransomware attacks that are now receiving the same federal priority level as terrorist attacks – thanks in large part to Riggi and the AHAs. insist.
Cyber attacks and breaches are no longer a victimless white-collar crime, but a critical risk to patient safety.
“Ultimately, we cannot defend our way out of this problem,” said Riggi, who urged the health care industry and the US government to take a more offensive stance.
This year, 100 million patients could be affected by data breaches
Riggi said he considers the U.S. Department of Health and Human Services Office for Civil Rights a “pulse check.” OCR data metrics can help guide the deployment of resources in the fight against cybercriminals, he said.
This week, the data indicates that there have been 66.3 million individuals in 2023 – a 50% increase from last year – with an average of 180,000 individuals per hack.
At that rate, 100 million people are expected to be affected by a cyber data breach this year, Riggi said.
The majority of attacks take place abroad and 25% are ransomware attacks involving extortion of data theft, he said. Nation-state affiliated gangs and spies in Russia, China, North Korea and Iran, and sometimes in collaboration with government agencies such as Russia’s equivalent of the FBI, carry out hacks against healthcare networks.
Riggi has reviewed a number of incidents, such as the ransomware group Clop extorting vulnerabilities in the MOVEit file transfer software. Earlier this year, Clop also stole patient data from Community Health Systems, one of the largest publicly traded hospital systems in the United States, by attacking them through Fortra’s GoAnywhere MFT.
Where is patient data?
While 8% of patient data is stolen from electronic health records, most are stolen from network servers and email outside the electronic health record, Riggi said.
“One good thing is that our EHRs are quite secure,” he said. “They certainly aren’t penetrated nearly as much as the servers and email.”
The weak spot is hospital servers and networks. “Our data is everywhere in our networks.”
The other challenge is that data lies unencrypted outside the EHR, he said.
“Probably not a reportable event,” he added.
The ‘bad guys’ look to internet-oriented sources. Not all of them are advanced and capable of exploiting Zero-Day.
“Yes, there is some of that,” he said, but “they are hacking before we patch.
“Folks, the bad guys are getting patch updates on Tuesday too. And they’re faster. They’re delivering malware faster before we patch.”
Cyber actors are not only stealing protected health information, they are also after personally identifiable information, medical research and other valuable data sets.
The latest sinister development, Riggi said, is the extortion of individual patients for ransom.
Dr. Eric Liederman, Kaiser Permanente’s director of medical informatics, will discuss this challenge Friday at the Cybersecurity Forum in his session on personal security, culture and generating trust in the health care system.
Three simple questions
The loss of diagnostic data, PACS systems and other IT infrastructure halts the delivery of patient care. Other sources of aggregated data, especially third-party business partners, leave hospitals and healthcare systems vulnerable to high-impact attacks.
“We’ve learned some hard lessons,” Riggi said.
As some recent high-profile attacks have shown, it can take three to four weeks for major IT systems to come back online and a hospital to be operational again.
And in some parts of the western United States, the nearest Level 1 trauma center may be more than 800 miles away – posing a significant risk to patient safety and public health.
Riggi urged emergency management planning, both locally and regionally, and the use of resources such as mutual aid agreements to address insufficient integration with clinical continuity.
“Business continuity is not the same as clinical continuity, and we must be prepared to continue operations for up to four weeks,” he said.
Many organizations don’t have plans for how they will deliver safe, effective and high-quality care for four weeks, he said. They also did not take into account the external consequences for clinics and laboratories.
They need to think, “What technology are we dependent on?”
Also: “What are the externalities?”
Riggi said he recommends asking three simple questions if the internet and internal network are lost in a cyberattack – for every department in the event of a high-impact ransomware attack.
“What will work? What won’t work? And what’s the plan?”
He also advises the downtime coaches and downtime safety officers for each department.
Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.