March 9, 2022

In a highly touted mini-series based on Herman Wouk’s The Winds of War, there is a poignant moment in which a pensive President Franklin Roosevelt says somberly—almost sorrowfully: “It’s a bad thing to go to war.”  It is indeed a sad state of affairs when those in the power structure are unable to resolve their differences through peaceful means.  As long as there are bad actors on the world’s stage, there will be the potential for bad activity.  That potential is now being felt by America’s hospitals.

The Possible Threat

In response to the invasion of Ukraine, the United States has issued a series of economic and other sanctions against Russia.  President Vladimir Putin of the Russian Federation has indicated there will be consequences for these actions.  Federal officials believe these consequences could involve major cyber-attacks against American infrastructure, businesses and even health facilities.  Indeed, as one health-based website put it, “hospitals are increasingly becoming targets of cyberattacks, which often disrupt operations and potentially put patients at risk.”  The site then listed, as an example, a 2019 ransomware attack at Springhill Medical Center in Mobile, Alabama, which compromised the hospital’s network for three weeks. 

The seriousness of the current situation faced by healthcare facilities is reflected in an official government warning, issued days ago.  The Cybersecurity and Infrastructure Security Agency (CISA) has issued a “Shields Up” alert for U.S. organizations concerning cyber threats from Russia.  In the alert, CISA recommended that all U.S. organizations, regardless of size, “adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets.”  Under the current environment, it would behoove hospital decision-makers to ensure their IT staff members are redoubling their efforts to ensure the facility’s networks are being protected to the greatest extent possible.  But how, and what if there is a breach?

The Mitigating Strategies

As reported by Advisory Board, both CISA and the American Hospital Association (AHA) have outlined four steps for U.S. organizations to take in order to minimize the risk and potential impact of cyber-attacks.  They are summarized for our readers below.

1. Reduce the risk of a damaging attack

CISA recommends organizations require multi-factor authentication for all remote access to their networks, as well as privileged or administrative access.  All software should be up to date, and updates that address known exploited vulnerabilities should be prioritized.  Furthermore, IT personnel should (a) ensure all non-essential ports and protocols are disabled, and (b) implement strong controls if cloud services are used.

2. Ensure potential attacks are quickly detected

CISA recommends that IT personnel confirm an organization’s network is protected by antivirus and antimalware software.  They should also focus on identifying and quickly assessing any unusual or unexpected network activity.  If an organization conducts business with Ukrainian organizations, IT personnel should closely monitor and inspect traffic from these organizations, as well as review any access controls.  In addition, the AHA suggests organizations “geo-fence” all inbound and outbound traffic from Ukraine and the surrounding region to mitigate potential direct cyber risks.

3. Be prepared to respond if an attack occurs

To prepare for an attack, a main crisis response team should be designated, with different members taking charge of technology, communications, legal issues and business continuity. Organizations should also conduct an exercise with all team members to ensure they all understand their roles during a potential attack.  The AHA considers this key to your network defense, stating that it is “critical that a cross-function, leadership-level cyber incident response plan be fully documented, updated and practiced. This should include emergency communications plans and systems.”

4. Ensure critical operations and data will still function during an attack

Finally, the AHA recommends organizations identify all “mission-critical clinical and operational services and technology” and develop “four-to-six-week business continuity plans and well-practice downtime procedures in the event those services or technologies are disrupted by a cyberattack.”  Per CISA, organizations should test backup procedures to make sure critical data can be quickly restored if they’re affected by a cyber-attack.  Backup data should also be isolated from network connections.  In addition, organizations should test manual controls of their operational technology to make sure critical functions are still operable even if their networks are down or compromised.

With all that’s happening in the world, now is not the time to let down our guard.  It will be up to each facility’s leaders to enact a plan of action to meet the current threat.  If we can be of help in this regard, please reach out to us at info@miramedgs.com.