Federal government agencies are rolling out a set of resources designed to help healthcare organizations under siege from a growing number of ransomware and other cyber-attacks to better protect themselves against threat groups looking to extort money and steal information.

The Cybersecurity and Infrastructure Security Agency (CISA) and Department of Health and Human Services (HHS) this week released a cybersecurity toolkit that brings together a range of resources designed for the healthcare industry, from cyber-hygiene services and best practices to a tips for implementing the NIST Cybersecurity Framework to help improve an organization’s resiliency.

The toolkit comes at a time when cybercriminals are turning a greater focus on the healthcare industry.

“Adversaries see healthcare and public health organizations as high-value yet relatively easy targets – or what we call target-rich, cyber-poor,” CISA Deputy Director Nitin Natarajan said in a statement. “Given that healthcare organizations have a combination of personally identifiable information, financial information, health records, and countless medical devices, they are essentially a one-stop shop for an adversary.”

The rapidly rising number of threats against healthcare organizations worldwide has been well documented and it doesn’t look to taper off anytime soon.

A Thorny Problem

A study by the Ponemon Institute and cybersecurity vendor Proofpoint found that 88% of healthcare facilities sustained an average of 40 attacks in the previous 12 months, with the average cost of a cyber-attack jumping 13% year-over-year, to almost $5 million.

A similar study by cybersecurity firm Sophos last year found that in 2021, 66% of healthcare organizations were hit by ransomware – in 2020, that number was 34% – and in the first three weeks of this year, the global healthcare industry saw an 11% jump over 2022 in the average number of attacks per week, security firm Check Point said in a report this week. Overall, it ranked third – behind education and government and military agencies – as the third largest target.

Check Point listed more than a dozen reasons why healthcare facilities are attractive to threat groups, from the large amount of sensitive information they hold and the wide use of internet-connected devices to the legacy systems they use, limited IT resources, and vulnerabilities in the supply chain.

In addition, global health concerns like pandemics or other crises that create sense of urgency and distractions that bad actors can take advantage of and hospitals have a low tolerance for attacks given the high stake work they do.

“The nature of healthcare means that any disruption can have immediate and life-threatening consequences,” Check Point researchers wrote. “Cybercriminals may exploit this urgency, knowing that healthcare providers are more likely to pay ransoms quickly to restore critical services.”

Major Breaches

Attacks this year illustrate the threat that ransomware and other groups pose. HCA Healthcare, which runs a huge healthcare and health services network in the United States and the UK that sees 35 million users a year, said a data breach led to the theft of personal data of more than 11 million of its patients.

Earlier this year, in a hack of Managed Healthcare of North America, sensitive information of 8.9 million people was stolen.

Atlas VPN said in a report this week that the personal and health information of 87 million patients in the United States were exposed in data breaches this year, more than twice as many as 2022, when the number was 37 million. In the first half of the year, the number of patients affected reached 41 million. In the third quarter alone, with was 45 million, according to Atlas.

The Toolkit

CISA and HHS want to help healthcare facilities shore up their defenses. CISA’s Cyber Hygiene Services provides vulnerability scanning and testing services to detect known vulnerabilities and phishing attacks in organizations’ IT environment.

The service runs continuous scans of public, static IPv4s for accessible services and vulnerabilities and delivers weekly vulnerability reports and ad hoc alerts.

HHS’s Health Industry Cybersecurity Practices, created in conjunction with organizations in the industry, outlines cybersecurity practices healthcare facilities can use to become more cyber-resilient. The HPH Sector Cybersecurity Framework Implementation Guide gives organization guidelines for implementing the NIST framework.

The guide was pulled together by HHS and the Health Sector Coordinating Council and its Cybersecurity Working Group, which collects expertise of industry experts in healthcare cybersecurity.

“We have seen a significant rise in the number and severity of cyber attacks against hospitals and health systems in the last few years,” HHS Deputy Secretary Andrea Palm said in a statement. “These attacks expose vulnerabilities in our healthcare system, degrade patient trust, and ultimately endanger patient safety. The more they happen, and the longer they last, the more expensive and dangerous they become.”