Facing ransomware, health systems can’t use ‘hope as a strategy’

Even as ransomware attacks became more common, hackers often stayed away from hospitals and the healthcare sector, Jeff Schmidt says.

Schmidt, the chief executive officer of Avertium, a cybersecurity company, said hackers didn’t attack health systems in the past because it created too much visibility. Plus, even some hackers thought breaching healthcare companies and endangering patients was a step too far, some analysts have said.

However, hospitals are now increasingly encountering ransomware attacks.

“I don’t want to say the gloves are off,” Schmidt told Chief Healthcare Executive in a recent interview.

But he added, “We shouldn’t have hope as a strategy at this point. It’s time to start thinking through the plan.”

• Related story: Not if, but when: Cyberattacks threaten hospital systems

This week, federal authorities sent out a cybersecurity alert indicating that hackers sponsored by the North Korean government are aiming ransomware at the health sector. FBI Director Christopher Wray said last month hackers supported by Iran’s government attacked Boston Children’s Hospital. The attackers failed to do major damage in that 2021 attack, Wray said.

Now, it’s clear health systems must prepare for ransomware attacks, Schmidt said.

“These systems are being targeted,” Schmidt said. (The story continues after the video.)

• Related story: Cybersecurity and patient safety: Why it needs more attention
• Related story: Why smaller hospitals are targets for cyberattacks

Schmidt said the attack on a children’s hospital is a chilling sign of the dangers posed by cyberattacks, whether the attacks involve attempts to gain money or are simply designed to create havoc.

“It’s a group of people understanding what they are doing and what they’re really trying to accomplish at the cost of someone’s life and the systems that support those,” Schmidt said. “That is a very different actor than what we have typically dealt with in the digital world.”

Relying on vulnerable systems

Several hundred breaches involving hospitals and healthcare systems were reported to the federal government in 2021, and more than 100 breaches involving patient information were reported in the first quarter of this year.

“A lot of these hospital systems …  are using systems that have been exploited before,” Schmidt said. “The measures required and the measures that should be taken inside those environments really need to be tuned and sewn up.”

Other cybersecurity experts have said healthcare systems have been too slow to repair vulnerabilities, even after they’ve had a breach.

Lee Kim, director of privacy and security at the Healthcare Information and Management Systems Society (HIMSS), said some systems didn’t shore up defenses quickly enough and were attacked again.

“I personally know of entities that unfortunately have been hit by the same incident multiple times over because they don’t take a step back and look at what they can do better,” Kim told Chief Healthcare Executive in March.

• Related story: How hospitals can improve their cybersecurity

Ransomware attacks pose a threat to health systems’ ability to care for patients, in addition to imposing enormous financial pain. At the HIMSS 2022 Global Health Conference in March, Kevin Tambascio, manager of cybersecurity for the Cleveland Clinic, said it’s virtually impossible to eliminate all ransomware threats.

“We’re trying to battle ransomware and trying to keep the level of risk at a manageable level,” he said.

Cybersecurity experts have criticized healthcare organizations in the past for failing to place a higher priority on cybersecurity. Schmidt said he thinks healthcare cybersecurity and information technology teams recognize the gravity of the threat.

However, hospitals have faced enormous financial challenges with the COVID-19 pandemic, and Schmidt said that’s impeded efforts to improve cybersecurity.

“Hospital systems have not thrived over the last two years …there’s only so many dollars available to go around,” he said.

Starting somewhere

Health systems can take some measures to repel attacks or at least mitigate their risk.

Health systems should engage in patch management to update software and address vulnerabilities, Schmidt said. He acknowledged some healthcare systems are using very antiquated software and patch management isn’t always an option for those systems. If systems can’t be patched, healthcare organizations should put in monitoring to alert if there’s a compromise.

“The low-hanging fruit is credentialing and securing credentials,” Schmidt said. “Multi-factor authentication everywhere and really securing the access that people use.”

Health systems also need to train their staff as much as possible about the dangers of cyberattacks and how hackers employ phishing techniques via email to engage workers.

Human errors tend to be “the easiest place to compromise an environment,” Schmidt said.

Breaches don’t happen simply because of carelessness, he said. Often, it’s well-intentioned kindness in response to an appeal for help.

“We are amazingly helpful, kind people, who really help people and come to the rescue," Schmidt said. "That’s what a hacker parlays off of …  that spirit of helping somebody on the other end, to parlay into getting information from you.”

Health systems also need to have emergency response plans for cyberattacks. Schmidt grew up in California, where earthquakes aren’t uncommon, and said he always thinks about the escape route. A similar approach is needed for cybersecurity, he said.

Businesses need to adapt a playbook encompassing different scenarios if there’s a breach and critical systems are compromised.

“Here’s everything that’s shut down,” Schmidt said. “What do we do? Who needs to be in the room? Who makes the call?”

Businesses don’t need to plan for 1,000 different scenarios, Schmidt said. Maybe organizations develop 10 or 15 plans. Critically, businesses need to start somewhere in cybersecurity response plans, even if it’s simply admitting what they don’t know.

“If you don’t start somewhere, it’ll always be overwhelming,” Schmidt said.

Cyberattacks have proven to be very costly to hospitals and healthcare organizations. The average healthcare breach cost $9.4 million in 2021, an increase of $2 million over the previous year, according to a report by IBM. Analysts have projected this year could be worse.

Nearly 45 million Americans were impacted by breaches involving private health information in 2021, up from 34 million in 2020, according to a report by Critical Insight, a cybersecurity company. Millions of Americans have already been affected by healthcare breaches reported this year.