Protecting the Health Care Ecosystem Requires Looking at Cyber Culture

Every year, the number of ransomware attacks in the health care sector increases as leaders work to protect the digital health care ecosystem.

“It is a problem,” said Department of Health and Human Services CIO Karl Mathias at the 2023 Billington Summit — adding that the sector has seen a 42% increase since 2016 in ransomware attacks. “Last year, and this year, it’s going to be the biggest sector for ransomware attacks.”

Mathias said that prevention is key in order to get in front of the problem. The agency has created a program, 405D, which is dedicated to risk management and strengthening cybersecurity within the sector before threats occur.

“HHS isn’t just looking at it from a single hospital point of view, or even a medical group. We’re looking at the entire infrastructure of the health care system, whether it’s a provider, whether it’s a hospital, whether it’s pharmaceutical manufacturing company,” Mathias said.

In addition, HHS released a roadmap to guide health care organizations to prevent and confront cyberattacks in March. The cybersecurity implementation guide is targeted to help public and private health care sectors.

The number of cybersecurity threats is expected to increase as emerging technology like AI continues to mature and open up the threat landscape. In 2022, health care organizations in America were targeted with more than 1,400 cyberattacks weekly per organization.

“Cyber incidents pose risks to patient data, intellectual property, scientific or laboratory research, medical manufacturing and ultimately the ability of health care organizations to safely serve their patients,” said HHS Deputy Secretary Andrea Palm in a March statement.

Cybersecurity industry leaders say data protection is critical and will ultimately provide a solution to ongoing threats.

“The health care industry generates almost a third of the data that’s been put out. Health care data is so attractive, so lucrative in the dark web and the other areas that people want to get into,” Leidos CTO Srini Iyer said at the 2023 Billington Summit. “Protecting the data is so important. If we can do that, I think it’ll probably prevent a lot of activities.”

To stay ahead of these threats, Mathias said HHS is collaborating with other agencies for additional support.

“We’re working with CISA, we’re working with the FBI, to see if we can get to those places that are in trouble, particularly when you see the small rural hospitals get hit, they have less resources, we want to make sure that we can come in and help them,” Mathias said.

In 2022, the FBI received more than 200 reports of ransomware attacks in the health care sector, topping all other sectors. This is where shaping a cybersecurity culture will be key across organizations.

“Health care organizations must safeguard their information technology systems to help prevent attacks and create a culture of cyber safety in the health care industry,” Assistant Secretary for Preparedness and Response Dawn O’Connell said in a statement.