Imagine losing all communications and electronic data. A healthcare facility would stop in its tracks and patient care would plummet.
Warnings about potential cyber attacks against critical infrastructure, including the healthcare industry, have been mounting in recent weeks due to the Russian war against Ukraine. But you can take steps right now to reduce your risk and avoid the nightmare scenario.
The Cybersecurity and Infrastructure Security Agency (CISA) launched the Shields Up initiative last month just days after the invasion began.
- On March 17, CISA and the FBI issued a joint advisory warning critical infrastructure organizations of cyber risks associated with satellite communication (SATCOM) networks. Organizations across all sectors, including healthcare, use SATCOM networks for voice and data.
- The advisory urges SATCOM network providers and customers to remain vigilant against SATCOM cyberattacks which could disrupt network environments.
- In late February, hackers targeted SATCOM provider Viasat and disrupted network access across Ukraine. As reported by Reuters, the attack coincided with Russia’s initial invasion of Ukraine. Viasat is also a defense contractor for the U.S. and some of its allies and is used across U.S. critical infrastructure.
- President Biden issued a statement on March 21, urging an immediate hardening of private-sector cyber defenses “based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks.”
- The American Hospital Association (AHA) followed up with a cybersecurity advisory for its members. Key elements from the AHA:
-
- Visit AHA.org for guidance on risk mitigation procedures, suggesting it is important to heighten staffs’ awareness of increased risk of receiving malware-laden phishing emails.
- Geo-fencing for all inbound and outbound traffic originating from, and related to, Russia, Ukraine and its surrounding region may help mitigate direct cyber risks presented by this threat; however, this will have limited impact in reducing indirect risk, in which malware transits through other nations, proxies and third parties.
- Identify all internal and third-party mission-critical clinical and operational services and technology; put into place four-to-six week business continuity plans and well-practiced downtime procedures in the event those services or technologies are disrupted by a cyberattack.
- Check the redundancy, resiliency and security of your organization’s network and data backups, and ensure that multiple copies exist: off-line, network segmented, on premises and in the cloud, with at least one immutable copy.
- Ensure that emergency electric generating redundancy, resiliency and generator fuel reserves are in place and have been recently tested.
- A cross-function, leadership-level cyber incident response plan should be fully documented, updated and practiced including emergency communications plans and systems.
HIPAA Risk Management Review
Everything recommended by CISA, the FBI and the AHA are everyday practices and procedures in a strong HIPAA compliance program. Among other things, HIPAA Risk Analysis and Risk Management requires:
- Workforce cybersecurity awareness training – repeat, review, stay open to questions and reward reporting of cyber incidents; phishing is still the most common entry tactic for cyber criminals.
- Data backups – daily, offsite, redundant, accessible in an emergency.
- Contingency planning – alert key staff of their roles, practice the plan.
- Review third party vendors‘ security practices; include them in contingency planning and exercises.