Getty Images

How Can Congress Aid Healthcare Cybersecurity, Fight Ransomware?

Witnesses testified before Congress this week, noting that the healthcare sector needs help battling cyberattacks and ransomware.

Healthcare is a prime target of ransomware and needs assistance to face digital thieves, according to several witnesses that testified before Congress this week.  

Experts from healthcare, technology and cybersecurity testified before the US House of Representatives on Tuesday, July 20. Their testimonies were part of the Subcommittee on Oversight and Investigations of the Committee on Energy and Commerce’s hearing entitled, “Stopping Digital Thieves: The Growing Threat of Ransomware.”

The witnesses included a mixture of in-person and remote testimonies from Philip Reiner, Chief Executive Officer of the Institute for Security and Technology; Charles Carmakal, Senior Vice President and Chief Technical Officer of FireEye-Mandiant; Robert M. Lee, Chief Executive Officer of Dragos; Kemba Walden, Assistant General Counsel of Microsoft Corporation; and Dr. Christian Dameff, MD, a practicing emergency medicine physician, assistant professor of Emergency Medicine, Biomedical Informatics, and Computer Science at the University of California San Diego and the Medical Director of Cybersecurity for UC San Diego Health. 

Dr. Dameff testified on the first-hand impacts of ransomware on US healthcare. 

Dameff testified that “healthcare is not prepared to defend or respond to ransomware threats.”  

“We know ransomware attacks affecting the healthcare sector are increasing in frequency, sophistication, and disruptive potential. In addition to the exposure of sensitive data, severe financial losses, and reputational damage, a cyber-attack on a hospital has the potential to threaten life and limb,” Dameff stated.  

Cyberattacks impact the infected hospitals and the surrounding “healthcare ecosystem at large,” the emergency physician stated.  

“Two months ago, a ransomware attack disabled five large hospitals in the San Diego area for an entire month,” he stated. “Adjacent hospitals were quickly overwhelmed with unprecedented numbers of emergency room patients, many of whom had serious, time-dependent illnesses. Wait times skyrocketed. Hospital beds rapidly filled. Clinicians caring for very sick patients lacked vital medical records from the infected hospitals. I saw firsthand the “spill-over” effects and understood that the vulnerability of one hospital is the vulnerability of many hospitals.” 

Dameff told the subcommittee that the effects of ransomware attacks on patients’ health needs to be scientifically studied and that hospitals are not equipped to measure and report the impacts.  

“I recommend the development of standardized metrics of cyber-attack severity on hospitals. Mandatory reporting of patient safety and care quality outcomes should occur for severe attacks. I recommend that federal agencies such as the National Institutes of Health (NIH) and the National Science Foundation (NSF) prioritize funding for research on this topic,” he stated.  

The emergency doctor also stated that cybersecurity vulnerabilities need to be addressed  to protect patients.  

He noted some healthcare facilities, including those in rural areas, need additional help with their cybersecurity.  

“As we seek to protect vulnerable hospitals, we must also avoid overly punitive measures for those unfortunate enough to fall victim” to cyberattacks, Dameff testified. 

Dameff testified that support for a “software bill of materials (SBOM) as one mechanism to increase transparency around cybersecurity vulnerabilities...” would enable manufacturers and healthcare delivery organizations to take more proactive steps to manage their cybersecurity risk.” 

He recommended the “ongoing support and legal protections for security researchers engaging in good-faith security research, otherwise known as coordinated vulnerability disclosure. We need help from ethical hackers if we are going to defeat the malicious ones.”  

He called for preparing hospitals to combat these cyberattacks.  

“The ability to rapidly deploy backup manual patient care systems is key to reducing harms to patients. Such contingency planning takes resources and expertise,” Dameff stated.  

Kemba Walden, the assistant general counsel of Microsoft Corporation Digital Crimes Unit, testified that “Microsoft has observed that healthcare remains the number one target of ransomware.” 

Ransomware is not limited to incidents, he stated. “It is ubiquitous and pervasive, impacting wide swathes of our economy, from the biggest to the smallest players. Our data shows that the energy sector represents one of the most targeted sectors, along with the financial, healthcare, and entertainment sectors. And despite continued promises by some cybercriminals not to attack hospitals or healthcare companies during the global pandemic, Microsoft has observed that healthcare remains the number one target of ransomware.”  

Charles Carmakal, Senior Vice President and Chief Technology Officer of FireEye Mandiant, also shared insights into the ransomware issue impacting healthcare. 

“Last October, the cyber threat in the United States reached an unprecedented level,” Carmakal stated in his testimony. “Hospitals across the U.S. were disrupted by a group of eastern European threat actors. Hospital technology systems were taken offline, and medical professional and administrative staff had to rely on paper and pen to record data. Many hospitals had to divert patients and ambulances to emergency departments at other hospitals. The impact of cyber intrusions to human lives has never been more dire.” 

He told the committee this dire problem should be considered a threat to global security.  

Philip James Reiner, Chief Executive Officer Institute for Security and Technology, also provided testimony before the subcommittee. He discussed the societal harm ransomware inflicts.  

“Cybercrime is typically seen as white-collar, but while ransomware is profit-driven and “non-violent” in the traditional sense, that has not stopped these attackers from routinely threatening supply chains, risking human lives by shutting down hospitals with critical patients, diverting vital public resources, threatening the loss of data/privacy, disrupting schools and colleges, exposing the data of minors, placing entire cities under siege, and extorting exorbitant and destructive ransoms in the millions of dollars,” Reiner stated.  

“These criminals, on the whole, do not care who they victimize - whether it's a gas pipeline, a managed service provider, an elementary school, or a large hospital system,” Reiner said. “They do not care if people die - and it is clear based on the medical literature that these attacks against hospitals and health care systems increase the risk of severe outcomes for patients unable to receive care. These criminals clearly do not care if essential services are disrupted. In fact, they count on it - the more desperate the victims, the more inclined they may be to pay the ransom.” 

Next Steps

Dig Deeper on Cybersecurity strategies