BOSTON – John Riggi, national advisor for cybersecurity and risk for the American Hospital Association, kicked off the 2023 HIMSS Healthcare Cybersecurity Forum here on Thursday with a data-rich and provocative discussion that focused largely on the need for local and regional planning for healthcare cyberattacks.
Ahead of the conference, Riggi said he’s had growing concern about a “dramatic increase” in the high-impact ransomware attacks on hospitals and health systems that shut down hospital computer networks and deny clinicians access to very much-needed patient information.
In his keynote, Riggi addressed risk anticipation, identification, avoidance, confrontation and recovery – skills he said he’s practiced since he grew up in nearby Lynn, Massachusetts, and took with him into a lengthy career in the FBI and CIA, and takes now to the AHA.
He described the scope of the current threat landscape – with bad actors stealing data and causing massive disruptions to patient care, and intensifying ransomware attacks that are now assigned the same federal priority level as terrorist attacks – thanks in large part to Riggi and the AHA’s urging.
Cyberattacks and breaches are no longer a white-collar, victimless crime, but a critical patient safety risk.
“Ultimately, we can’t defend our way out of this problem,” said Riggi, who urged the healthcare industry and the U.S. government to take a more offensive posture.
100 million patients could be impacted by data breaches this year
Riggi said he looks to the U.S. Department of Health and Human Services Office for Civil Rights as a “pulse check.” OCR data statistics can help guide resource deployment in the fight against cyber bad actors, he said.
This week the data indicates that there have been 66.3 million individuals in 2023 – up 50% from last year – with an average 180,000 individuals affected per hack.
At that rate, the projection is 100 million individuals will be impacted by a cyber data breach this year, Riggi said.
The majority of attacks are foreign-based, and 25% are ransomware attacks with data theft extortion, he said. Nation state-affiliated gangs and spies in Russia, China, North Korea and Iran, and sometimes in collusion with state agencies like the Russian equivalent of the FBI, conduct hacks against healthcare networks.
Riggi reviewed a number of incidents like the ransomware group Clop extorting vulnerabilities in MOVEit file transfer software. Earlier this year, Clop also stole patient data from Community Health Systems, one of the largest publicly-traded hospital systems in the United States, by attacking them through Fortra’s GoAnywhere MFT.
Where is patient data?
While 8% of patient data is stolen from electronic health records, most are stolen from network servers and email outside of the electronic health record, Riggi said.
“One good thing is, our [EHRs] are pretty safe,” he said. “At least they are not being penetrated nearly as much as the servers and email.”
The soft spot is hospital servers and networks. “Our data is everywhere throughout our networks.”
The other challenge is that data is lying outside the EHR unencrypted, he said.
“Probably not a reportable event,” he added.
The “bad guys” are looking at Internet-facing resources. They are not all sophisticated and able to exploit Zero-Day.
“Yes there is some of that,” he said, but, “they are hacking before we patch.
“Folks, the bad guys get patch Tuesday updates as well. And they’re faster. They’re faster at delivering malware before we patch.”
Cyber actors are not just stealing protected health information, they are going after personally identifiable information, medical research and other valuable data sets.
The latest sinister development, Riggi said, is the extortion of individual patients for ransom.
Dr. Eric Liederman, Kaiser Permanente’s director of medical informatics, will address that challenge Friday at the Cybersecurity Forum in his session on personal safety, culture and generating trust in the healthcare system.
Three simple questions
The loss of diagnostic data, PACS systems and other IT infrastructure shuts down the delivery of patient care. Other sources of aggregated data, especially third-party business associates, leave hospitals and health systems vulnerable to high-impact attacks.
“We have learned some hard lessons,” said Riggi.
As has been shown with some recent high-profile attacks, it can take three to four weeks for major IT systems to come back online and get a hospital up and running again.
And in some areas of the western United States the next nearest Level 1 trauma center could be more than 800 miles away – posing significant risk to patient safety and public health.
Riggi urged emergency-management planning, both locally and regionally, and leveraging resources like mutual aid agreements to address the insufficient integration with clinical continuity.
“Business continuity is not the same as clinical continuity, and we need to be prepared to carry on operations for up to four weeks,” he said.
A lot of organizations do not have plans for how they will deliver safe, effective, quality care for up to four weeks, he said. Nor have they considered the external impacts to clinics and labs.
They need to think: “What is the technology we depend on?”
Also: “What are the external impacts?”
Riggi said he advises asking three simple questions if the internet and internal network are lost in a cyberattack – for each department in the event of a high-impact ransomware attack.
“What will work? What won’t work? And, What’s the plan?”
He also advises downtime coaches and downtime safety officers for every department.
Andrea Fox is senior editor of Healthcare IT News.
Healthcare IT News is a HIMSS Media publication.