Ransomware Attacks Prompt Security Standards Proposal for Ailing Healthcare Sector

Senator Mark Warner (D-VA) has proposed legislation dubbed the Health Care Cybersecurity Improvement Act, that would require some healthcare providers and technology vendors they contract with to implement minimum cybersecurity best practices to qualify for any emergency funds from the Centers for Medicare and Medicaid Services (CMS).

‍

“We need to get some minimum cybersecurity standards into healthcare. We've been talking about this for some time without a lot of action,” The Record reports Warner as stating.

‍

“In November, Warner and Sen. Bill Cassidy (R-LA), the ranking member of the Senate Health, Education, Labor, and Pensions Committee, joined Sens. John Cornyn (R-TX) and Maggie Hassan (D-NH) in forming a working group to explore legislative options... Warner’s office issued a white paper laying out policy responses to the health sector’s cyber crisis.”

‍

The Department of Health and Human Services also recently published healthcare-specific Cybersecurity Performance Goals based on broader guidance from CISA.

‍

Additionally, HHS is planning two regulatory changes that will implement cybersecurity standards for Medicare and Medicaid participation, and a planned revamp of the healthcare data security rules prescribed by HIPAA (Health Insurance Portability and Accountability Act).

‍

Takeaway: A recent study revealed in the last several years there have been more than 500 successful ransomware attacks impacting nearly 10,000 healthcare providers exposing over 52 million patient records. It is estimated these attacks have bled the US economy by tens of billions of dollars.

‍

More concerning is the risk to human life these attacks represent. A study by Ponemon revealed that 68% of respondents said ransomware attacks disrupted patient care, 46% noted increased mortality rates, and 38% noted more complications in medical procedures following an attack.  

‍

Another study found that ransomware attacks contributed to between 42 and 67 patient deaths over a five-year period, and an alarming 33% increase in hospitalized Medicare patient deaths per month.

‍

Ransomware attacks are one of the biggest threats facing every organization today, and healthcare providers have been hit particularly hard.  

‍

‍Criminal ransomware groups know that the impact of an attack against healthcare organizations does not just disrupt operations, it directly affects the lives of their patients and puts the entire organization at risk:

• A ransomware attack disrupted healthcare systems in California, Texas, Connecticut, Rhode Island and Pennsylvania, forcing the suspension of services at emergency rooms and causing ambulances to be diverted to other facilities
• Hospital emergency rooms in New Jersey that were forced to divert ambulances following a ransomware attack
• An attack on SMP Health forced the organization to cease operations altogether
• A ransomware attack against MCNA Dental Insurance exposed the personal information of nearly nine million patients in one of the largest breaches of health information ever reported
• Attackers exposed clinical photographs of breast cancer patients

‍

In two recent episodes of the Last Month in Security Podcast, we dug into the onslaught of ransomware attacks targeting the Healthcare sector and how it impacts not just operations but patient outcomes as well as the disruptive ransomware attack on Change Healthcare.

‍

The panel considers whether attacks on healthcare and other critical infrastructure providers could rise to the level of terrorism, and whether a terrorism designation would give us more tools to work beyond the civilian criminal justice system in combatting these attacks. Check it out...

‍

‍

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.