|
In May, hospitals nationwide were forced to divert emergency medical services after Ascension, one of the largest U.S. health systems, fell victim to a cybersecurity incident. This was the latest in a series of major incidents (Change Healthcare)
In the wake of the attack, Ascension tapped the cybersecurity firm Mandiant to assist in its investigation and “remediation efforts.” Multiple systems were down, including MyChart for an extended period as were certain phone lines. Meanwhile, Ascension with 140 hospitals across 19 states paused some nonemergency services and advised patients to bring written notes on symptoms and medications to their appointments.
The immediate aftermath was messy because of the competing interests.
The hospital’s insurance company will investigate to ensure proper prevention measures were in place, and law enforcement agencies like the FBI are likely to get involved. Oftentimes, a third party like Mandiant is called in to identify where systems were breached, and which information was stolen by whom.
Negotiating with cyber criminals is difficult in the best of circumstances and can exacerbate delays. Many ransomware groups target hospitals resulting from the likelihood they will pay a ransom rather than impact patient outcomes and/or get sued. Yet these payments are subject to the Office of Foreign Assets Control (OFAC), and it would be a violation of federal law to pay them. An insurance company can help conduct negotiations and accelerate a return to baseline. And since hospitals cannot afford to delay care, they are more likely to hand over hefty ransom payments.
While outside organizations unravel the web, the health system is focused on continuing care and communicating with patients to lessen the blows of potential class action lawsuits.
The process is underscored by urgency. Cybergangs hide behind computer screens yet can still be fatal in the health care industry. If a credit card company sends a letter saying, your record has been disclosed. We’re going to monitor your credit for free, it goes into the trash, but if your child quits breathing, and you call 911 or a hospital and it doesn’t work, that’s your worst nightmare.
This vulnerability is attractive to ransomware groups, who are concerned with “return on investment.” Health systems are under significant financial pressures and struggle to invest in cybersecurity (be it cyber hygiene or technology)
Hospitals are the perfect targets for cyberattacks and should view them as a foreseeable event. We recommend every organization invests in automated controls to constantly monitor their networks and discontinue any device that shows signs of trouble.
There’s one other thing that MUST be done, and this is the easiest, and the hardest thing to do. You MUST have a policy of ‘all personal use on a personal device. That means no personal account like Gmail, Instagram. Facebook, Snapchat, Hotmail should ever see the screen of a company device. About 40% of compromised assets were due to the use of personal email accounts on the organization’s private network. If implemented and enforced correctly, this policy could significantly reduce a health system’s vulnerability to cyber threats.
I have written previously about deficient cybersecurity policies that I have observed over the years https://www.linkedin.com/pulse/5-best-cybersecurity-practices-3-worst-richard-freiberg-cpa-pc-zptbe/. As the sone goes, “Sad, but true!”
Meanwhile, many believe hospitals will require more financial support from the federal government to protect themselves against cyberattacks indicating that absent the proper funding the problem won’t get better.
We believe sufficient deterrents are not in place at either a political or legal level, yet I concur this is a national security public safety issue. So, with lives and safety at stake, I think it is appropriate for the federal government to provide resources and funding to support those industries.
President Biden’s budget proposal for fiscal year 2025 allocated $800 million to help “high need, low-resourced” hospitals to implement federally mandated cybersecurity measures. It also set aside $500 million in incentive funding to encourage all hospitals to advance their cybersecurity practices.
Of course, we are available to assist you and suggest you contact us!
Richard Freiberg
Profitability Consultant
Richard Freiberg CPA PC
Phone (980)339-3352
Cell (914)393-0033
www.rmfreibergcpa.com
LinkedIn
to subscribe to Cyber Insights Today
to subscribe to LinkedIn Newsletter Cyber Security
Providing valuable counsel to help boost your company’s bottom line, while navigating competitive forces, industry, and economic risks in today’s challenging environment
|
1 thought on “Your Hospital Suffered a Cyberattack, now what”
Hospitals need better security, for real, yo.