The healthcare sector was the victim of more ransomware attacks than any other sector in 2021.
June 2022 – The Journal of Healthcare Contracting
By Daniel Beaird
Russia’s invasion of Ukraine has marked Europe’s largest refugee crisis since World War II with more than 6 million Ukrainians fleeing the country.1 Meanwhile, the war in Ukraine has U.S. health systems and supply chains on high alert for cybersecurity breaches.
Rapid integration of new technologies during the pandemic like telemedicine and remote monitoring technology are heavily relied on now. But the sector is susceptible to cyberattacks due to poor cybersecurity infrastructure.
Therefore, the bipartisan Healthcare Cybersecurity Act of 2022 (S. 3904)2 was introduced in March by Sens. Bill Cassidy (R-LA) and Jacky Rosen (D-NV) to buttress healthcare defenses against potential Russian cyberattacks amidst the war in Ukraine. The Healthcare Cybersecurity Act calls on the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to collaborate with HHS to improve cybersecurity in the healthcare sector.
Shortly after the war in Ukraine began, HHS claimed there were three potential primary threat groups to the U.S. healthcare and public health sector: 1) organizations that are part of the Russian government, 2) cybercriminal groups based out of Russia and neighboring states, and 3) organizations that are part of the Belarussian government.
Healthcare entities have been promoted as critical infrastructure providers (CIPs) for years and the COVID-19 pandemic highlighted this fact as the healthcare sector faced the most ransomware attacks in 2021 compared to other CIPs.3 However, according to a cyber readiness report by cybersecurity company Trellix that surveyed 900 cybersecurity professionals from across critical infrastructure sectors in April, the healthcare industry is woefully underprepared to defend against cyberattacks.4 Nearly three-quarters (74%) of healthcare providers in the report admitted that they had not fully implemented sufficient software supply chain risk management policies and processes. The healthcare sector particularly noted underinvestment as a contributing factor.
While 83% of healthcare services respondents claimed to have implemented some degree of software supply chain risk management policies and processes, the sector significantly trails other CIPs in fully implementing these measures. Difficult implementation (92%), little oversight on cybersecurity products themselves (68%) and a lack of U.S. federal government demands on cybersecurity (83%) were all cited as reasons for a lack of full implementation.
But almost nine in 10 healthcare respondents reported the need to secure remote access to their enterprise resources became more important in maintaining their cybersecurity posture during the COVID-19 pandemic.
“It all starts with understanding and outlining the risks involved with leveraging telemedicine and virtual operations,” said Ben Schwering, vice president, chief information security officer for Premier Inc., representing an alliance of approximately 4,400 U.S. hospitals and health systems and more than 225,000 other providers and organizations.
“Performing regular risk assessments, documenting standard architecture and data flows, and undergoing formal threat modeling are essential to understand potential risks and weak points and ultimately addressing them,” he said. “One of the biggest lessons from COVID-19 is identity management. Health systems need to focus on securing all identities, including patient, provider and staff, as well as machine identities, including medical devices and telemedicine. Many times, these won’t be within the four walls of a hospital.”
Schwering explained that Zero Trust architecture has become a standard approach to securing health systems in a post COVID-19 world, where identities are secured first before physical networks. “The concepts and best practices associated with Zero Trust principles apply anywhere – within the hospital and remotely,” he said.
Zero Trust is a strategic approach to cybersecurity that secures an organization by eliminating implicit trust and continuously validating every stage of a digital interaction.
The Healthcare Cybersecurity Act would partner CISA with HHS in an agreement, as defined by CISA, to improve cybersecurity in the healthcare and public health sector. It supports training efforts for private sector healthcare professionals. CISA would be responsible for teaching healthcare providers, suppliers and manufacturers on cybersecurity risks. CISA would also explore strategies on securing medical devices and EHRs.
“There are several great resources available to help health systems and hospitals shore up their security capabilities such as the resources made available by CISA,” Schwering said. “Focusing on basic cyber hygiene and sticking to the fundamentals are the best approach to prepare for a potential cyberattack.”
Schwering said this includes fundamentals such as security awareness training and up-to-date BC/DR (business continuity and disaster recovery) and incident response plans that are regularly tested. It also includes technical fundamentals such as multifactor authentication, system patching, secure remote access gateways, and modern endpoint detection and response.
Vendor and supplier risk
Healthcare providers also face risks from many different types of supply chain vendors. This dramatically increases the consequences of a cyberattack.
“Current approaches to assessing and managing vendor risks are failing,” said Dr. James Angle, co-chair of the Cloud Security Alliance’s Health Information Management Working Group, which drafted a whitepaper called Healthcare Supply Chain Cybersecurity Risk Management in May. “Given the importance of the supply chain, it’s critical that healthcare delivery organizations identify, assess and mitigate supply chain cyber risks to ensure their business resilience.”
Healthcare providers and suppliers are high-value targets. When addressing cyber risk and security within the supply chain, the Cloud Security Alliance (CSA) recommends healthcare delivery organizations:
- Inventory all suppliers, then prioritize and identify those they consider to be strategic suppliers.
- Tier suppliers based on risk, using a third-party risk rating service if possible.
- Contractually require suppliers to maintain security standards.
- Develop a schedule for reevaluating suppliers.
CSA is dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. It offers cloud security-specific research, education, training, certification, events and products.
“Supply chain exploitation is a reality,” said Michael Roza, a risk, audit, control and compliance professional, CSA Fellow and a contributor to the whitepaper. “It’s incumbent on healthcare delivery organizations to ensure that their supply chain partners comply with data management policies in order to keep their organizations and their users safe.”
According to the CSA’s Healthcare Supply Chain Cybersecurity Risk Management and the Ponemon Institute, which runs IT infrastructure studies, there are several reasons why supply chain and risk management programs fail in healthcare,7 including:
- The lack of automation and reliance upon manual risk management processes makes it challenging to keep pace with cyber threats and the proliferation of digital applications and medical devices used in healthcare.
- Vendor risk assessments are time-consuming and costly, so few organizations conduct risk assessments of their vendors.
- Critical vendor management controls and processes are often only partially deployed or not deployed at all.
Relying on electronic communication
Cyberattacks are costly – the average financial impact of a supply chain attack reached $1.4 million this year, making it the most expensive type of cyber incident5 – and additional economic burdens on healthcare providers are being experienced with increasing fines and investigations from HHS and the Office of Civil Rights (OCR) due to current supply chain risk management approaches.
Order processing, inventory management, transportation and payment rely on electronic communications. Medical devices are now connected to the cloud so that vendors can manage them. This complexity and interdependency heightens the potential risk. Healthcare organizations are targeted given they have more assets to potentially exploit,6 and the supply chain is the most fundamental component to uninterrupted daily business operations.
“Supply chain security, especially with medical devices, has become one of the top cybersecurity priorities for health systems,” Schwering said. “Performing risk assessments and threat models for each use case involving online devices and services can help identify potential weak points and safety risks. Infusing cybersecurity controls throughout the lifecycle of a device, from procurement to disposal, is critical in enabling safe use of online devices.”
This starts with a strong partnership with the manufacturers and suppliers to ensure cybersecurity expectations are clearly outlined and agreed upon, Schwering emphasized.
The supply chain is an interdependent system that affects everything in healthcare. An insecure supply chain can impact a healthcare provider’s risk profile and security. Assessing and mitigating risk in the supply chain should be applied with the same energy as it is internally.
“Fundamentals such as developing standard operating procedures (SOPs) for updating devices, implementing strong authentication, removing hard coded passwords and disabling unused components are critical steps in securing your online footprint,” Schwering said.
When the supply chain is compromised, a healthcare provider’s networks and systems are at risk.
“The cybersecurity risks in delivering healthcare services have beyond just the four walls of the hospital,” Schwering said. “Health systems are much more aware of the need for strong supply chain security, especially involving medical devices and managed services.”
HSCA and its Committee for Healthcare eStandards issued its own guidance for healthcare providers on key cybersecurity considerations,8 including:
- Designating an IT security officer and maintaining anti-virus software.
- Providing cyber training and assessment for staff.
- Purchasing insurance policies that cover cybersecurity risks.
- Testing manufacturer claims.
- Encrypting personal authentication data.
- Certifying that suppliers of network-accessible medical devices, software and services are compliant with FDA guidance documents.
- Adopting, implementing and actively using industry-wide data standards for improving efficiencies and safety throughout the healthcare supply chain. Participating in at least one Information Sharing and Analysis Organization (ISAO) like the Health Information Sharing and Analysis Center (H-ISAO). Adopting an IT security risk assessment methodology like the NIST Cybersecurity Framework (CSF).
1 Operational Data Portal: Ukraine Refugee Situation
2 S. 3904 – Healthcare Cybersecurity Act of 2022
3 Federal Bureau of Investigation: Internet Crime Report 2021
4 Trellix Cyber Readiness Research: Path to Cyber Readiness – Preparation, Perception and Partnership
5 ITProPortal: Supply chain attacks are now more costly than ever
6 Palo Alto Networks: Ransomware Threat Report 2021
7 Ponemon Institute: The Economic Impact of Third-Party Risk Management in Healthcare
8 HSCA: Medical Device and Service Cybersecurity