Keeping Hospitals and Patients Safe against Cyberattacks

Feb 03, 2023 - 10:05 AM by
Rick Pollack, President and CEO, AHA
Rick Pollack, American Hospital Association CEO and President standing in front of United States flag and the AHA seal.

Cyberattacks are increasing globally and in the U.S., with health care organizations, especially hospitals and health systems, being prime targets.

A recent report from Check Point Research found that:

  • The U.S. saw a 57% increase in the number of cyberattacks in 2022.
  • Health care organizations in the U.S. suffered an average of 1,410 weekly cyberattacks per organization, which is 86% higher than 2021.
  • The health care sector ranked second out of all sectors for the most cyberattacks in the U.S.

The AHA has long been committed to helping hospitals and health systems defend against and deflect cyberattacks that can threaten patient care and compromise patient safety. AHA’s National Advisor for Cybersecurity and Risk John Riggi, a former FBI executive with decades of experience on the front lines of cyber issues, leads these efforts.

In addition to providing support to individual hospitals and health systems, AHA continues to share information and guidance with the field on the latest cyberthreats. We also have a full suite of tools and resources for members, including AHA-vetted cybersecurity services provided by outside consultants that have a proven track record of working with organizations to develop the defenses needed to protect patients and communities.

Hospitals and health systems have prioritized protecting patients and defending their networks from cyberattacks. However, we’ve stressed that an all government approach is necessary given that the field continues to face targets from sophisticated cyber adversaries and nation-states, such as Russia, China, Iran and North Korea.

That’s why the AHA continues to work closely with federal partners, including the FBI, Department of Health and Human Services, Cybersecurity and Infrastructure Security Agency and many others on efforts to prevent and mitigate cyberattacks. And we are having success.

Just last week, the FBI, Department of Justice and other law enforcement agencies announced major action to disrupt and dismantle the Hive ransomware gang that targeted hospitals and other critical infrastructure. Hive was particularly active in targeting our field, using a sophisticated ransomware extortion plot to shut down hospital networks, encrypt and steal hospitals’ most sensitive data, hold it hostage, and disrupt and delay health care delivery.

AHA is pleased to see a notable shift in how federal agencies tackle cyberthreats against our field. We have worked closely with federal partners to elevate the investigative priority of ransomware attacks from economic crimes to what they really are: crimes against human life that have serious consequences for patients. The strategies that helped detect, deter and disrupt terrorist organizations are now being applied to protect the health care sector. The AHA supports these efforts.

As we continue to partner with federal agencies to mitigate cyberthreats, we also are working with Congress and the Administration to advance policies that assist in protecting health care services, data and patients from cyberattacks.

Among other priorities, we’re advocating for policies to increase government cybersecurity assistance, increase collaboration and coordination among federal departments and agencies, recruit additional cybersecurity workforce, improve medical device security and enhance information sharing.

We’re also pushing for a change in how victims of cybercrimes are viewed. Those targeted by cyberattacks should be supported, not assigned blame. It seems like a simple thing, but too often there is an unfortunate narrative in the public that targeted organizations were at fault or unprepared.

We are pleased that Congress passed legislation providing regulatory relief for HIPAA-covered victims of cyberattacks who can demonstrate they have been following recognized cybersecurity practices, and we are supportive of a “safe harbor” for health care organizations that implement recognized security measures.

Hospitals and health systems will continue to prioritize cybersecurity efforts to protect their patients. And the AHA will continue to be your partner in those efforts.

Related News Articles

Headline
OCR launches webpage with HIPAA FAQs on Change Healthcare cyberattack
The Department of Health and Human Services’ Office for Civil Rights April 19 launched a webpage answering HIPAA-related FAQs about the Change Healthcare…
Headline
Agencies issue ransomware alert, guidance for securely deploying AI
U.S. and European agencies April 18 recommended organizations implement certain best practices to protect against the latest versions of Akira ransomware,…
Headline
AHA urges Congress to reject cybersecurity proposal in HHS budget request
In a statement submitted to the House Energy and Commerce Health Subcommittee for a hearing April 17 on President Biden’s fiscal year 2025 Health and Human…
Headline
HHS Deputy Secretary Palm discusses Change Healthcare attack and future of cybersecurity
Department of Health and Human Services Deputy Secretary Andrea Palm addressed AHA Annual Membership Meeting attendees about the Administration’s work to…
Headline
Representative Guthrie discusses cybersecurity, prior authorizations and telehealth
Rep. Brett Guthrie, R-Ky., today addressed attendees of AHA’s 2024 Annual Membership Meeting and touched on many of the biggest issues in health care:…
Headline
AHA testifies at hearing on health care cybersecurity
Testifying April 16 before a House Energy and Commerce Subcommittee on Health hearing on addressing health care cybersecurity vulnerabilities in the wake of…