Cybersecurity panel: The scope of recent ransomware attacks in healthcare

Hospitals and health systems are paying more attention to cybersecurity, because they have no other choice.

Hundreds of cyberattacks have taken place this year, including the Change Healthcare ransomware attack, which disrupted almost all hospitals nationwide. Other health systems have weathered attacks.

Chief Healthcare Executive® has reported extensively on cybersecurity over the past few years, and it looks to be an issue that will garner heavy coverage in years to come. Beyond reporting on the attacks, we’ve shared insights from key cybersecurity experts. Now, we’re looking to do a bit more.

Recently, Chief Healthcare Executive® assembled a panel discussion with three leading cybersecurity experts: John Riggi, national advisor for cybersecurity and risk for the American Hospital Association; Lee Kim, senior principal of cybersecurity and privacy at HIMSS; and Adam Zoller, the global chief information security officer for the Providence health system.

Today, we’re presenting the first of a series of videos from that discussion. (Here’s the video. The story continues below.)

In this discussion, the cybersecurity panel looked at the scope of recent attacks.

“Cyberattacks against hospitals and health systems continue to increase at a very alarming rate,” Riggi said. “Last year, in terms of data theft attacks, hospitals and health systems suffered the worst year in terms of data breaches and ransomware attacks. In fact, we ended the year with over 136 million individuals in the United States.”

And the number of victims is almost certain to be higher this year. The Change Healthcare cyberattack alone affected 100 million Americans, according to the U.S. Department of Health & Human Services. It’s being called the most significant cyberattack affecting healthcare in U.S. history. Riggi pointed out that a Russian ransomware group, Black Cat, claimed responsibility for the Change Healthcare attack.

“They understood they would be attacking the entire healthcare sector,” Riggi said. “Every hospital and health system in the country was affected either directly or indirectly, by this attack, and it was a very significant disruption.”

The Providence health system constantly defends against cyberattacks, Zoller said.

“This year has been a pretty wild year for healthcare,” Zoller said. “Personally, Providence has been targeted by thousands of attacks, as we are every year. We've thwarted these attacks. We've been able to, knock on wood, stay ahead of these attacks, but the attacks are growing in sophistication. They’re growing in volume”

A majority of cybersecurity healthcare professionals say their organization has experienced a security incident in the past year, according to HIMSS.

When it comes to cyberattacks, Kim said, “It's not a matter of if, but when.”

But Kim said while attacks are becoming increasingly sophisticated, hospitals and healthcare organizations are making strides in cybersecurity.

“I've seen extremely large strides in terms of growth, in terms of cybersecurity maturity, stakeholders getting more on board,” Kim said. “There are a lot more healthcare organizations that are realizing that cybersecurity is part of their business.”

The experts noted that private health information is extremely valuable, which is why ransomware groups are targeting hospitals and other providers. The panel noted that those attacks can threaten patient care, and health systems often pay ransoms to restore their system.

“I think the perception is, rightly or wrongly, that healthcare systems are more willing to pay the criminals,” Zoller said.

Check out the video for more analysis and perspective on cyberattacks in healthcare.

Important note: This is the first video from our wide-ranging conversation. We’ll be publishing other installments over the next few weeks with more perspective from our experts on cybersecurity. Our thanks to these experts for sharing their knowledge and insights on such an important topic for the healthcare industry.