Unfortunately, the year started off with a major threat. On Feb. 23, the American Hospital Association (AHA) published a cybersecurity advisory warning that Russia may use cyberattacks as a form of retaliation due to the economic and military sanctions placed on the country by the U.S. government and NATO allies.
The advisory states that “The AHA is closely monitoring the potential for increased cyber risks to the U.S. health system stemming from the ongoing military operations in the Russia/Ukraine region. The Russian military has previously used cyberattacks against Ukraine to disrupt the electrical grid, communications capabilities and financial institutions. For example, it was reported last week that cyber denial-of-service attacks, attributed to the Russian military, were launched against Ukraine’s Ministry of Defense, as well as its financial institutions.”
That said, “In light of previous attacks and potential threats, the Cybersecurity and Infrastructure Security Agency last week issued a related-and-rare cyber ‘Shields Up’ warning to the U.S. private sector, including healthcare, based upon the increased cyberthreat posed by the Russian government.”
In March, during the HIMSS22 conference in Orlando, Fla., as part of the Healthcare Cybersecurity Forum, a Leadership Panel titled “CISO State of Mind” focused on what to expect in the industry during these turbulent times and set the tone for the year to come. The panel featured speakers Erik Decker, CISO at Intermountain Healthcare; Anahi Santiago, CISO at ChristianaCare; and Vugar Zeynalov, CISO at the Cleveland Clinic. The panel was moderated by Daimon Geopfert, principle of cyber, risks & regulation implementation & operations, PwC.
Geopfert kicked off the panel by asking the speakers, “What’s keeping you up at night?” Zeynalov said that he sleeps like a baby, “waking up every two hours to cry.” He then seriously commented that building resiliency and agility keep him up along with three other areas. “How do we do business to keep up with constantly changing and, often, competing priorities?” he adds. “The second thing is enabling the organization to grow both physically and digitally. And the third area is attracting top talent.”
Decker added that “Selling and evangelizing cybersecurity is a way of the past.” He went on to say that the demands and competing priorities are akin to a car needing to drive faster and, therefore, needing better brakes. When it comes to cybersecurity, when an organization wants to push through better innovation, it needs better cybersecurity.
In June, we reported on a global survey of healthcare IT executives that found that 44 percent of healthcare organizations that suffered an attack in the last year took up to a week to recover from the most significant attack, and 25 percent of them took up to one month.
“The State of Ransomware in Healthcare 2022” survey from cybersecurity solutions provider Sophos polled 5,600 IT professionals from 31 countries, including 381 in healthcare. In the survey, 66 percent in healthcare said their organization was hit by ransomware in 2021 compared to 34 percent who responded to the survey the previous year.
Among the report’s other troubling findings are that healthcare organizations are more likely to pay the ransom than those in other fields, with 61 percent of organizations paying the ransom to get encrypted data back. Healthcare organizations that paid the ransom got back only 65 percent of their data in 2021, down from 69 percent in 2020; furthermore, only 2 percent of those that paid the ransom in 2021 got all their data back, down from 8 percent in 2020, the report said.
In October, we reported that Chicago-based CommonSpirit Health, which has 140 hospitals across 21 states and more than 1,000 facilities, has been experiencing an “IT security issue," as mainstream media outlets have been reporting. Journalists began reporting the incident on Monday, Oct. 3, and updated information categorizes the incident as a ransomware attack. CommonSpirit is the second-largest nonprofit health system in the U.S.
According to an Oct. 6 article by Jessica Lyons Hardcastle in The Register, CommonSpirit had a short statement on its website saying it took some systems offline, including “electronic health record (EHR) and other systems.” As of Oct. 13, the statement was updated saying that “We have been managing a response to a cyberattack that has impacted some of our facilities. Patients continue to receive the highest quality of care, and we are providing relevant updates on the ongoing situation to our patients, employees, and caregivers. Patient care remains our utmost priority and we apologize for any inconvenience this matter has created.”
Healthcare Innovation spoke with cybersecurity expert and former Stanford Children's Health CISO Chad Wilson, to get his perspective on the incident. Wilson says his initial thought is that “It’s a disaster. And an unfortunate one. As a CISO, this is something you don’t want to see happen”
Wilson adds that “A larger organization [like CommonSpirit] has more patients and families to take care of vs. a smaller organization.” He says that an incident like this at a larger organization also impacts more staff (than a smaller organization) that now have to do their jobs without the tools are resources they are accustomed to.
In November, we reported that a report from the U.S. Department of Health and Human Services (HHS) Office of Inspector General, entitled “2022 Top Management & Performance Challenges Facing HHS,” HHS says that one of its six top management and performance challenges (TMCs) is “Harnessing and Protecting Data and Technology To Improve the Health and Well-Being of Individuals.”
The report states that “The Department continues to improve how it collects, manages, shares, and secures its data. In parallel, HHS is refining its approach to influence and shape how other entities use technology. Yet HHS faces significant challenges to both protect data and technology from persistent cybersecurity threats and improve how the Department and related entities share large amounts of critical data from disparate sources, including public health data, on an unprecedented scale. The importance of managing these challenges is highlighted by critical issues such as addressing inequities across health and human service programs, which often requires foundational improvements to data collection and analysis to better understand the effects on disadvantaged individuals and communities. Continued modernization of HHS data and technology capabilities is needed for HHS and its divisions to fulfill their missions, improve situational awareness, and better prepare for future public health threats and emergencies.”
On Dec. 1, we reported that the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announced via a press release that it has issued a bulletin to detail the requirements of Health Insurance Portability and Accountability Act of 1996 (HIPAA) on covered entities and business associates (“regulated entities”) under the HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) when using online tracking technologies. The tracking technologies—such as Google Analytics or Meta Pixel—are meant to analyze information about how users are interacting with a regulated entity’s website or mobile application.
The press release states that “Some regulated entities regularly share electronic protected health information (ePHI) with online tracking technology vendors and some may be doing so in a manner that violates the HIPAA Rules. The HIPAA Rules apply when the information that regulated entities collect through tracking technologies or disclose to tracking technology vendors includes ePHI. Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules.”
And lastly, on Dec. 1, we reported that CommonSpirit Health updated its website regarding its October ransomware attack. The ongoing investigation has found that an unauthorized third party accessed files that include personal information from one if its affiliates, Seattle-based Franciscan Medical Group and/or Franciscan Health in Washington state.
The website adds that “CommonSpirit Health has no evidence that any personal information has been misused as a result of the incident. We are notifying individuals whose personal information was in those files.”
