How the US is responding to a wave of healthcare attacks

In December 2023, the US Department of Health and Human Services (HHS) reported a surge in cyber attacks against the country’s healthcare industry. Large breaches have increased by 93% from 2018-2022, and breaches involving ransomware have risen by 273%. 

Recent targets include Ardent Health Services (which runs 30 hospitals and 200 other healthcare sites across six states), which had to divert emergency care as it took its network offline following a Thanksgiving holiday attack. And HTC Global Services (which provides technology to the healthcare industry) confirmed an attack, which was claimed by threat group AlphV/BlackCat. 

In response, HHS has released a new concept paper focused on how to strengthen the cyber resilience of the US healthcare sector. 

What does the paper say? 

It lays out four steps aimed at improving the resilience of healthcare organisations. 

They are:

1. Establish voluntary cybersecurity performance goals for healthcare organisations – with a focus on high-impact cybersecurity practices, to minimise the confusion organisations face by trying to adhere to a range of different regulatory guidelines and practices.
2. Provide resources to incentivise the implementation of these practices, including an upfront investments program.
3. Implement an HSS-wide strategy to support the enforcement of the performance goals and create a culture of accountability, and work with Congress to do this. 
4. Develop a ‘one-stop shop’ within HSS for healthcare cybersecurity – enabling the industry to access support and services from the Federal Government. 

No one is immune to attack, and healthcare requires support – but not penalties 

No organisation in any industry is immune to cyber attacks. And as many of our Black Hat MEA speakers advise – all organisations should assume breach. 

But attacks on the healthcare industry have serious implications for patient safety, so more focused expertise and funding to protect the sector is important. That being said, mandatory requirements would create new challenges for organisations in the sector, and there will be resistance if the guidelines laid out by the HSS lead to such requirements. 

Rick Pollack (CEO at the American Hospital Association) said in a statement, “Many recent cyberattacks against hospitals have originated from third-party technology and other vendors. No organization, including federal agencies, is or can be immune from cyberattacks. Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cyber crime and would be counterproductive to our shared goal of preventing cyberattacks.”

But as Jen Easterly (Director at the Cybersecurity and Infrastructure Security Agency) wrote here,

“The days of relegating cybersecurity to the CIO or the CISO must end. CEOs and Boards of Directors must embrace cyber risk as a matter of good governance and prioritize cybersecurity as a strategic imperative and business enabler.”

In essence, it’s a difficult balance to strike: protecting critical organisations and their patients from cyber attacks, without creating unnecessarily complex and costly regulatory challenges for them to navigate. We’ll keep watching to see what happens next.