Protecting Patients and Hospitals from Cyberattacks

This week, the FBI issued an urgent warning to all users — including hospitals — of a critical security soft spot within Oracle’s E-Business Suite, stating “This is ‘stop-what-you’re-doing and patch immediately vulnerability.’”

The vulnerability has allowed cyber bad actors to carry out data theft ransomware attacks. Oracle is offering a patch to address the security problem.

This latest threat reminds us that cybercrime is ever-present, and health care has been the No. 1 target for years. Hospitals and health systems are committed to taking every possible precaution to protect system operability and patients’ personal data, and the good news is their defenses block most attacks.

But no individual hospital can defend against all of these very sophisticated criminal and nation-state sponsored attacks. That’s why we need a whole-of-government approach to preventing and mitigating cyberattacks, including the federal government going after the bad guys as it has effectively done in counterterrorism.

As we observe Cybersecurity Awareness Month this October, we must remain aware that the scope, frequency and sophistication of cyber incursions into health care have increased steadily. The evolving tactics used by bad actors to steal information, encrypt systems, delay and disrupt patient care, and shut down vital systems continue to put patient care and safety at risk.

The AHA has long been committed to doing everything possible to provide our members with knowledge, tools and support to protect their ability to provide great care for the patients and communities they serve.

Information and Resources for Hospitals. The AHA has established strong relationships with federal law enforcement and national security agency partners so we can serve as a primary informational conduit providing the field with timely alerts and advisories. These advisories contain not only critical information from the federal government, but also perspective from the AHA’s own nationally recognized cyber experts and distinguished former federal agents, John Riggi and Scott Gee. Together with the federal government they recommend steps hospitals and health systems can take to bolster their defenses, whether by installing an immediate software patch, creating a long-term cyber incident response plan, planning for clinical continuity or taking other important actions. Riggi and Gee have helped educate federal officials about the impact of cyberattacks against hospitals and health systems.

Although hospitals and health systems prioritize cybersecurity, some organizations may lack sufficient resources to fully implement and maintain necessary and continually changing cybersecurity defenses.

To help fill the cybersecurity resource gap, the AHA collaborates with multiple parties across the public and private sectors to support member hospitals and health systems with cybersecurity risk mitigation. The AHA’s Preferred Cybersecurity Provider program includes vetted, highly reputable and accomplished cybersecurity providers that have developed dedicated resources and special offerings for AHA members.

In addition, the AHA and Microsoft recently announced several new and updated offerings as part of the Rural Health Resiliency program. The program offers free and discounted services to eligible rural hospitals, including critical access hospitals and rural emergency hospitals. Among the offerings are free cybersecurity assessments, cloud capability evaluation, curated cyber and artificial intelligence training, and foundational cyber certifications for rural hospital information technology staff.

AHA’s Cybersecurity and Risk webpage provides a centralized hub for access to the latest news, vital resources, expert insights and advisory services — all tailored to support comprehensive enterprise risk strategies. 

A Whole-of-Nation Approach Is Needed. We continue to encourage our government partners to disseminate threat intelligence and use all their tools — including military, intelligence and offensive cyber capabilities — to disrupt these actors before they attack and prepare to assist when an attack does occur. A strong, swift and certain response from the federal government and allied nations to increase risk and consequences for cyber adversaries must be part of the mitigation solution.

The never-ending barrage of ransomware and cyberattacks against the health care sector is not going away. But it can be managed. And the risk of becoming “infected” can be reduced if all parts of the health care sector and the government share responsibility and do their part to protect the health care infrastructure we all depend on to advance health in our nation.