Healthcare systems need state assistance to fight hackers

Lee Milligan, chief information officer for Asante’s healthcare system in Oregon, said he was pleased President Joe Biden had taken steps to help the nation avoid cyber threats, but wanted Washington to work more directly to shift the burden of attacks on healthcare systems. .

“It strikes me that in the end, it’s an attempt by individual hospital systems – essentially isolated – to find out,” he said. “If the nation-state bombs the bridges that connect the Mississippi River and connect States A and B, will we look at it that way?” And yet the same life-threatening is when they shut down the health care system. ”

The continuing increase in attacks threatens the safety of patients and strains clinicians who are already tired of the Covid-19 pandemic. In the worst case, hackers can close hospital operations and extract patient data.

The hack is expensive: The 2021 cyberattack on San Diego’s largest healthcare system, Scripps Health, cost $ 112.7 million. These costs put additional pressure on healthcare systems to increase the cost of services, especially when they Competitive labor market, pandemic losses and rising drug prices. And now, cyber insurers are limiting coverage and hiking bonuses, further exposing health systems.

There have been various federal efforts to assist health care systems through cyber-attacks Department of Health and Human Services, Federal Bureau of Investigation and Department of Homeland Security. However, not all health care systems feel that these resources are sufficient.

“What I really wanted was for them to create a concrete framework for a partnership between individual health systems and the government to either defend or respond, or preferably both,” Milligan said.

Costs

The doctor receives an email asking him / her to log in to the portal to receive a copy of his / her patient’s past medical records. The website, which has email links, is a fake, evil doppelganger that has been ridiculed by hackers. Involuntarily, the doctor refused to enter the certificate on the real health record portal or downloaded the virus.

This is one of many scenarios that healthcare CISOs are preparing for as healthcare systems prepare for a federal deadline by the end of October to share electronic healthcare records across hospital networks, which could lead to new lines of cybercrime attacks, they say, because it attracts hackers. At new entry points.

Cyber-attacks on healthcare systems are growing steadily and their costs are rising by fungi. Experts say there are many reasons for the increase, including the fact that criminals are being promoted more and more aspects of healthcare are online.

When the cyber-attack hit Sky Lakes Medical Center, a public hospital in southern Oregon, in late October 2020, its computers were turned off for three weeks. Most worldly tasks have become difficult. Nurses had to check critical patients every 15 minutes to see if their vital signs changed. Doctors recorded their orders and piles of swollen paper covered the entire room. In three weeks, the hospital had passed 60,000 sheets.

Sky Lakes had to rebuild or replace 2500 computers and clean up the network to get back online. Even after he hired additional staff, it took six months to file all the paperwork. In total, John Gade, director of news services at Sky Lakes, says his organization spent $ 10 million – a huge expense for a nonprofit, with about $ 4.4 million in annual operating income (the organization did not pay the ransom).

There are questions for hospitals with limited budgets about how well they can protect themselves. The attack on Sky Lakes was part of a wave of attacks in 2020 and 2021 Linked to a criminal group in Eastern Europe.

“Our budget usually has a 3 percent limit “In a year,” said Gede, “but do we have to compete with the actors of the nation-state?”

Health data is profitable on the black market, making hospitals a popular target. Additionally, if the health care system has ransomware insurance, offenders may think they are guaranteed payment. Ransomware connects hospital records to encrypted files before paying a fee.

“When the ransom was $ 50,000, it was cheaper to pay them than to go to court, which was much more expensive,” said Omid Rahman, associate director at Fitch Ratings, adding that the ransom now costs millions. “The landscape has changed and so has the cybersecurity side – and that really has to do with the growth of ransom programs.”

In its annual data breach report, IBM writes that the global average cost of attacking the health care system increased from about $ 7 million to $ 9 million in 2021. But correcting these irregularities in the US can cost much more. There is no comprehensive data on how much the US healthcare system spends on attacks, but a few high-profile cases shed some light:

  • Violation of universal health servicesWhich serves 3.5 million patients, cost $ 67 million.
  • The University of Vermont, an academic medical facility where approximately 168,000 patients live each year, has spent $ 54 million to recover from an attack in 2020.
  • Scripps Health, which treats 700,000 patients annually, lost $ 112.7 million.

Healthcare systems only partially reimburse these costs. Scrips received $ 35 million from his insurance companies, a Quarterly Financial Disclosure – About 30 Percentage of actual value. The University of Vermont has raised $ 30 million from the insurer while United Health Services received $ 26 million.

“What I’m seeing is that the cost of remediation after a high-impact cyber attack – be it big data theft or infringing ransomware – is easily five to ten times their insurance coverage, be it a small hospital or a large one,” said John Riggie, chief security adviser. In the American Hospital Association.

The cost of delta cyber-attacks and between insurers is likely to increase. Last year, amid a flood of claims, Reuters reports that cyber insurers Both retreated to maximum pay rates and the types of attacks they covered. In November, Lloyd’s London, the main provider of cyber insurance, Declared not to cover cyber war, Or cyberattacks on behalf of the nation state. Bonuses increase in kind.

“I can not emphasize enough that all the expenses I mean here are paid by all of us,” said Brad Ellis, head of Fitch Ratings’s US health insurance group. “[Health systems] They are paid by insurance companies and we all pay a premium that is greatly increased. And they continue to climb. ”

The role of government

The big question is how much government agencies should protect organizations that are considered critical infrastructure. Two agencies – the Cyber ​​Security and Infrastructure Security Agency and the Health Sector Coordination Center with the Department of Health and Human Services – provide information on attacks and how to build infrastructure to prevent them. The CISA and the FBI also have incident response teams.

Eric Goldstein, Assistant Chief Executive Officer at CISA Cyber ​​Security, said the government needs better visibility into how many attacks occur and where. “It is noteworthy that a significant part of the cyber security breach is not reported to the government,” he said.

Health systems are required to notify the Civil Rights Office of data impacts affecting more than 500 people. But if health data is not disseminated, health systems will not have to report it.

But it is ready to change. Last spring, Biden signed an executive order to improve the country’s cybersecurity, which Goldstein called “the most operatively effective cybersecurity executive order,” indicating an increase in investment in cybersecurity.

“It really reflects the maritime change in how the federal government manages its cyber security,” he said.

The Biden administration also convened a meeting last week with several health executives and relevant government officials to discuss cyber security threats and security challenges for small health care systems.

Chairman of the Senate Homeland Security and Government Affairs in May Gary Peters (D-Mich.) Published the report Shows that the government had insufficient data on cyber attacks on critical infrastructure such as health facilities; Effectively protect the nation from such blows. Peters also stands behind the Cyber ​​Incident Reporting Act, a recently passed law that has tight deadlines for payments on cyber-attacks and ransomware important to CISA (this rule also gives CISA the power to summon anyone who does not meet these deadlines).

For its part, the CISA will develop a warning system to warn potential targets of total exploits and set up a ransom program working group to prevent and thwart attacks. The working group is due to be set up around March next year, and the ransomware vulnerability warning pilot has one year to stand on the ground.

Goldstein acknowledges that the government may not be actively protecting all health care systems from cyber-attacks. But he notes that CISA last year set up a joint cyber defense partnership to work with telecom companies and cloud providers to protect their infrastructure, and the healthcare systems that use these networks benefit from the proxy.

“Cybersecurity is now, perhaps for the first time, the issue of board of directors and C-suite issues in organizations across the country,” he said, adding that this level of attention and spending would ultimately help address the threat.

Healthcare systems need state assistance to fight hackers

Source link Healthcare systems need state assistance to fight hackers

Exit mobile version