In a recent address at the HIMSS Healthcare Cybersecurity Forum, cybersecurity experts John Riggi and Richard Staynings emphasized the significant cybersecurity threats that arise from third-party vendors and associated organizations. Riggi, a former FBI special agent and a national advisor for Cybersecurity and Risk at the American Hospital Association, highlighted the alarming growth in the number of individuals affected by cyber incidents, increasing from 27 million in 2020 to an unprecedented 150 million as a result of the ransomware attack on Change Healthcare in February. This incident exemplifies the pervasive interconnectedness of modern healthcare technology, with every hospital in the network impacted.
Riggi underscored the importance of recognizing vulnerabilities that could lead to widespread operational disruptions. For instance, a software update from CrowdStrike in July inadvertently triggered a global IT outage affecting millions of Windows systems across various sectors, including healthcare and banking. Such scenarios reveal the potential for a single security failure to cascade through interconnected systems, raising critical questions about our preparedness.
Despite the billions spent annually on cybersecurity by hospitals and health systems, speakers at the forum expressed concern over the overlooked risks posed by the dependencies on external vendors like Change Healthcare. As these organizations often handle sensitive data, health systems face the ongoing challenge of safeguarding patient information while managing the complexities of external data sharing.
“Who has our data?” posed Staynings, a professor and cybersecurity expert at the University of Denver. His inquiry highlights a growing apprehension regarding data confidentiality in today’s landscape, where cybercriminals leverage sophisticated tactics. Both experts pointed out that many cybercriminals operate out of Russia and other countries, illustrating the international scale of the threat.
The forum also addressed the troubling implications of disinformation campaigns that target electoral integrity. Ahead of the recent presidential election, Riggi noted an increase in phishing emails designed to foster distrust in the electoral process, illustrating how cybersecurity threats extend beyond the healthcare sector.
Furthermore, the dangers of cyberattacks aren’t confined to data breaches; they can also have dire consequences for patient care. Eric Liederman, CEO of CybersolutionsMD and former national leader of Privacy, Security, and IT Infrastructure at Kaiser Permanente, discussed a case study from the University of California San Diego. When a nearby facility suffered a ransomware attack, patient outcomes for critical conditions like cardiac arrest and stroke deteriorated dramatically due to increased patient load from system diversions. Outcomes of previously manageable cases plummeted from a 50% survival rate to just 10%.
Given these examples, the necessity for robust cybersecurity measures is clear. Health systems must enhance their security postures using insights from frameworks like the MITRE ATT&CK Matrix. This framework outlines various adversary tactics, such as initial access and privilege escalation, that are crucial for understanding and preventing potential attacks. By adopting a proactive stance against these threats, organizations can better protect patient data and maintain operational integrity in an increasingly vulnerable digital landscape.
