Ascension’s Cybersecurity Incident Puts Healthcare On Alert
Ascension health’s recent ransomware cyberattack is a stark reminder of the urgent and shared responsibility we all bear in the face of escalating cyber threats. The past five years have witnessed a staggering 256% increase in large breaches involving hacking and a 264% increase in ransomware incidents reported to the Office for Civil Rights (OCR). As healthcare CIOs, we must urgently lead the charge in rethinking our cybersecurity strategies.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued three crucial recommendations to combat ransomware. These recommendations are not mere suggestions but essential, non-negotiable steps to protect our healthcare systems.
Carter Groome, CEO of Firsth Health Advisory said “CISA’s recommendations address the most basic hygiene practice, including patching, next-gen MFA, and phishing awareness. Organizations should go further in sweeping for indicators of compromise (IOCs) and known exploitable vulnerabilities (KEVs), doubling down on Help Desk training for social engineering attacks, and really buttoning down Remote and Privileged Access Management controls.”
However, from an operational standpoint, implementing these measures is a complex task that requires careful planning and execution.
Keep Everything Updated
The first and most fundamental CSA recommendation is installing operating systems, software, and firmware updates promptly. While this may seem daunting, it is crucial for maintaining the security of your systems. Healthcare organizations must prepare for system breakdowns and downtime during upgrades, recognizing that the frequency of updates increases the complexity of this task. There currently is no way to implement updates quickly enough to avoid potential downtime.
Healthcare CIOs should consider employing two teams or hiring external support to focus on system updates and patches for core technologies.
MFA Everything
The second recommendation calls for implementing Multi-Factor Authentication (MFA) across as many healthcare systems as feasible. While MFA significantly enhances security barriers against cyber threats, its implementation is not always convenient and can be time-consuming, especially for clinicians who see patients continuously. Healthcare CIOs should also ensure MFA adoption for users onsite at their organizations. Historically, most healthcare organizations have implemented MFA primarily for external users; however, the current need demands extending these security measures to users onsite as well.
A scenario to avoid involves healthcare executives allowing administrative assistants to manage their email inboxes, often with the MFA authenticator app installed. If an executive’s user credentials get compromised and MFA authentication is triggered, there’s a good chance the assistant will unknowingly approve the access, thinking it’s a legitimate request. Many executives have assistants managing their accounts, which raises security concerns for CIOs.
User Education
The final recommendation focuses on educating users about recognizing and reporting phishing attempts. Training healthcare staff in phishing awareness is crucial as it equips them to identify and avoid malicious emails that threaten sensitive data. Organizations actively prevent breaches that exploit human errors by teaching healthcare employees the latest phishing tactics. Regular updates and simulations of phishing scenarios keep the healthcare workforce alert and prepared to address emerging cybersecurity threats. Additionally, users typically take less than 60 seconds to fall for phishing emails, emphasizing the need for rapid and practical training.
Cybersecurity breaches directly impact patient safety, as seen in incidents where healthcare organizations had to divert patients because clinicians could not access electronic systems. Errol Weiss, Chief Security Officer at Health-ISAC, agrees and said, “When hospitals get attacked by ransomware, it becomes an attack on patient care and safety. Hospitals cannot rely on the government for help. They need more investments in cyber security — including technology and the people to run those systems — to better protect the complex IT infrastructure used in today’s modern hospitals.”
To combat this, Healthcare CIOs must creatively establish new cybersecurity operating models.