COMMENTARY: I was speaking with my business partner, Major William (Brad) Marsh, Ret., who served as an Army Trauma Nurse and now works with us as a cybersecurity professional about the recent cyberattacks on healthcare. Marsh shared that attackers have discovered and are exploiting the greatest susceptibility of modern healthcare systems: the supply chain.
Paraphrasing a warfare analogy by military theorist Carl von Clausewitz, Marsh said: “If your enemy relies on focused supply areas to support operations, it’s probably more effective to attack his base of supply rather than march up against their primary forces.”
While I’m not always a fan of military references, in this instance it’s appropriate. We’re at war now in healthcare cyberspace. And our nation-state-bolstered enemies have discovered the supply chain of one of our nation’s 16 critical infrastructure categories.
The supply chain attack on Change Healthcare disrupted the financial flow of the entire healthcare industry, with dire and catastrophic impacts. However, the attack on OneBlood and the blood supply chain of the Southeast region of healthcare puts an exclamation point on the end of the claim made by Sen. Mark Warner (D-Va), that healthcare cybersecurity is patient safety.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Warner put pen to paper for Congress nearly two years ago, while the Biden administration issued similar missives for when it endorsed Cybersecurity Performance Goals for healthcare.
The trouble is that the timeline for a funded response to this assault on our lives has been slated for FY 2026 and 2027, while the strategy for mandates measures among industry groups and the Department of Health and Human Services will take at least five years.
The time to act is now, we need an immediate national push to shore up our defenses and cyber resilience, or we may not have healthcare systems to worry about – should the response actions remain kicked so far down the road.
Congressional actions are stalled
Cybersecurity has become a critical patient safety risk and ransom attacks on hospitals are now deemed threat-to-life crimes by the FBI, yet Congress hasn’t done anything to answer the calls of frontline hospital and healthcare cyber leaders. It’s not that they’re unaware. Congress has held multiple hearings with leading industry leaders over the last three years.
The consensus was made clear: Without federal government support, the current state of cybersecurity for the vast majority of the healthcare industry has put patient lives and entire communities at risk.
In May of 2022, a Senate Health, Education, Labor, and Pensions Committee, heard that the existing state of voluntary practices have not proven sufficient to transcend the market failures. The COVID-19 pandemic further compounded the sector’s over-dependence on undeveloped technologies – many of which are directly connected to patients.
Healthcare has been among the hardest impacted by the cybersecurity staffing challenges facing the rest of the economy, with many U.S. hospitals operating with minimal to no cybersecurity programs. While education and manufacturing sectors face similar challenges, in healthcare, vulnerable technology impacts patients across the country with no immediate solution to reduce the risk.
We understand that that securing healthcare will require an uphill battle with providers balancing the need to drive innovation and efficiency while simultaneously keeping patients safe from privacy and security risks. These challenges hit small, rural, and other under-resourced provider the hardest, when most lack the budgets and staff to adequately secure technologies vital to providing care.
Data confirms the drastic impacts these delays have on care morbidity, particularly stroke patients where minutes can severely alter patient outcomes. As seen with the massive attacks against Change Healthcare, Ascension, OneBlood, and in previous years, Scripps Health, CommonSpirit, and the UK National Health System, the subsequent disruptions have been the norm in healthcare for at least the last five years.
In 2023, more than two dozen health systems and pharmaceutical supply entities faced operational disruptions and/or diverted emergency care patients and operated without access to technology necessary to support safe patient care. These outages not only impact the patient care at the impacted care site, but the neighboring hospitals as well. The unexpected influx of patients leads to care delays and lead to care morbidity.
Here's the reality: without federal support, the challenges to strengthening healthcare defenses will hold back many healthcare entities. Most of the non-third-party attacks over the last couple years are clearly occurring in organizations where IT and cyber are underfunded or leadership has accepted too much risk. Such organizations are absolute sitting ducks and will be exposed.
We must look to a prioritized practice standard if the healthcare sector can wean off the endless breaches we see month after month. Lawmakers must prioritize addressing the continuous onslaught impacting lives and the trust we all need in our care institutions. This whole-of-society challenge includes elected officials entrusted with protecting the wellbeing of our citizens. The healthcare sector makes up roughly one-sixth of our economy and has faced these cybersecurity threats for nearly a decade.
It's well past time to act.
Toby Gouker, chief security officer, First Health Advisory
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.