Ransomware attacks against the health-care sector put lives at risk — and they’re getting worse. But federal authorities are providing free cybersecurity resources to foster systemwide change.————————————————————————————————————————————————————————————————–August 09, 2024 • [Jule Pattison-Gordon](https://www.govtech.com/jule-pattison-gordon) * [Facebook](https://www.facebook.com/dialog/share?app_id=314190606794339&display=popup&href=https%3A%2F%2Fwww.govtech.com%2Fhealth%2Ffederal-authorities-work-to-boost-health-care-cybersecurity)* [LinkedIn](https://www.linkedin.com/shareArticle?url=https%3A%2F%2Fwww.govtech.com%2Fhealth%2Ffederal-authorities-work-to-boost-health-care-cybersecurity&mini=true&title=Federal%20Authorities%20Work%20to%20Boost%20Health-Care%20Cybersecurity&summary=Ransomware%20attacks%20against%20the%20health-care%20sector%20put%20lives%20at%20risk%20%E2%80%94%C2%A0and%20they%E2%80%99re%20getting%20worse.%20But%20federal%20authorities%20are%20providing%20free%20cybersecurity%20resources%20to%20foster%20systemwide%20change.&source=GovTech)* [Twitter](https://twitter.com/intent/tweet?url=https%3A%2F%2Fwww.govtech.com%2Fhealth%2Ffederal-authorities-work-to-boost-health-care-cybersecurity&text=Federal%20Authorities%20Work%20to%20Boost%20Health-Care%20Cybersecurity)* Print* [Email](mailto:?body=Federal%20Authorities%20Work%20to%20Boost%20Health-Care%20Cybersecurity%0A%0Ahttps%3A%2F%2Fwww.govtech.com%2Fhealth%2Ffederal-authorities-work-to-boost-health-care-cybersecurity%0A%0ARansomware%20attacks%20against%20the%20health-care%20sector%20put%20lives%20at%20risk%20%E2%80%94%C2%A0and%20they%E2%80%99re%20getting%20worse.%20But%20federal%20authorities%20are%20providing%20free%20cybersecurity%20resources%20to%20foster%20systemwide%20change.)  Shutterstock OneBlood. Change Healthcare. The Fred Hutchinson Cancer Center. There is a long list of [health-care](https://www.govtech.com/tag/health-and-human-services) entities recently hit by [ransomware attackers](https://www.govtech.com/tag/cybersecurity), who are increasingly striking the sector, at times with massive impact or highly personal threats. A ransomware attack recently [disrupted](https://securityaffairs.com/166401/cyber-crime/oneblood-suffered-ransomware-attack.html) medical blood supply in the Southeastern states. In February, ransomware caused nationwide crises for patients when it struck [Change Healthcare](https://www.govtech.com/security/congress-asks-how-to-prevent-another-change-healthcare-crisis). In January, ransomware actors [threatened](https://www.theregister.com/2024/01/05/swatting_extorion_tactics/) to SWAT cancer patients. Strengthening the health-care sector against cyber attacks will require more resources for struggling organizations along with taking a systemwide approach, and efforts to do that are underway. Attacking hospitals has long been [off limits](https://www.icrc.org/en/document/protection-hospitals-during-armed-conflicts-what-law-says) in wartime, but in cyberspace, attackers treat health care like just another target, said Brian Mazanec, deputy director of the Office of Preparedness at the federal Department of Health and Human Services’ Administration for Strategic Preparedness and Response (ASPR). ‘Attacks -[against health care-] have been increasing in frequency, in sophistication, in severity -[and-] in the diversity of targets,’ Mazanec said. Victims range from hospitals to third parties supporting the sector. Not all victims report incidents, but based on available information, health care is among the top three most targeted of the [16 critical infrastructure](https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors) sectors, Mazanec said. Until recently, ransomware attacks against health-care providers seemed largely the result of indiscriminate, mass phishing attacks in which perpetrators hit any organizations they could, said Health-ISAC CISO Errol Weiss.But recent attacks on [OneBlood, Synnovis and Octapharma](https://www.aha.org/advisory/2024-08-01-american-hospital-association-and-health-isac-joint-threat-bulletin-tlp-white) indicate hackers are specifically targeting major health-care suppliers to cause widespread disruptions that increase pressures to pay. Small entities like health centers have little money, but perpetrators seem to find cyber attacks easy enough for even smaller payouts to be worthwhile, saidDr. Julia Skapik. Skapik is the chief medical information officer of the National Association of Community Health Centers and a practitioner at the Neighborhood Health Center in Alexandria, Va. ### CHALLENGES
Health-care providers face steep pressures to pay ransoms, ‘because if they don’t, people can die,’ Mazanec said. Some organizations are at particular risk: complex, legacy health-care IT setups can be hard to maintain or update, and small rural health-care organizations often have little money for cybersecurity. ‘The idea of having a chief information security officer is very lovely, but in an organization that doesn’t have a huge number of staff, it’s really a challenge to be able to marshal those kinds of resources,’ Skapik said. Some larger health centers have cybersecurity professionals, but they may be newer to the field. And the centers may still lack around-the-clock cybersecurity support, Skapik said. Typically, cybersecurity is a responsibility added to existing IT workloads, which can cause backlogs. Such multi-hatted professionals have little time to hunt for available resources, so ASPR is raising awareness about federally provided free cybersecurity [tools](https://aspr.hhs.gov/ASPRBlog/Pages/BlogDetailView.aspx?ItemID=475) and [technical assistance](https://www.cisa.gov/resources-tools/resources/free-cybersecurity-services-and-tools), Mazanec said. His team also shares [alerts](https://www.hhs.gov/about/agencies/asa/ocio/hc3/index.html) about new ransomware tactics, techniques and procedures. And Weiss’ Health-ISAC shares alerts and advisories with its global membership. Collaborations help but may have limits. Skapiksaid many health centers get some technical assistance from [health center-controlled networks](https://bphc.hrsa.gov/technical-assistance/strategic-partnerships/health-center-controlled-networks), but those often support dozens of health centers, all of which may have different versions of software. Vendors often charge hefty fees to update software, and they prioritize larger clients over small health centers, she said. Weiss said a grant-funded virtual CISO program could help launch cybersecurity programs that internal IT teams could then maintain. In this vision, one cyber professional would assist up to a dozen providers each year. Skapik said health centers would benefit from help applying for cyber insurance, a process that requires them to attain a minimum cyber posture, which can be costly for small entities. ### SECTORWIDE
To make a real difference, experts call for a systemic approach. A larger effort at the Department of Health and Human Services (HHS) sees it first provide cybersecurity advice to the sector. Next, it aims to offer resources to help follow that advice, and, finally, requirements. In January, HHS released a set of health-care-specific [cybersecurity performance goals](https://aspr.hhs.gov/newsroom/Pages/HHS-Releases-CPGs-and-Gateway-Website-Jan2024.aspx) for better preventing, responding to and recovering from attack, said Mazanec.These are voluntary and include10 measures along with 10 enhanced goals for organizations capable of more. Weiss said the goals are a valuable resource, but making them mandatory is challenging when some organizations lack funds to adopt them. The federal government seems aware; the president’s FY 25 budget would [provide](https://www.aha.org/news/headline/2024-03-11-white-house-releases-fy-2025-budget-request) $1.3 billion for supporting hospital cybersecurity, if Congress approves. Meanwhile, ASPR is making moves now, like updating the [Hospital Preparedness and Response](https://aspr.hhs.gov/HealthCareReadiness/HPP/Pages/default.aspx) program to specifically support cyber readiness, Mazanec said. HHS is also looking for ways to ultimately mandate a level of cybersecurity. Other moves are in the works: ASPR is conducting a sectorwide risk assessment, due in January, that will identify needs and inform efforts to create a sector-specific plan, Mazanec said. The agency will also identify organizations that, like Change Healthcare, could cause sectorwide disruptions if they go down, and will reach out to them about cybersecurity resources. [R-&D programs](https://arpa-h.gov/research-and-funding/programs/digiheals) are also exploring possible tools that might help health-care providers bounce back faster after attack, such as, theoretically, technologies to help them capture electronic health records while systems are downed. * [Facebook](https://www.facebook.com/dialog/share?app_id=314190606794339&display=popup&href=https%3A%2F%2Fwww.govtech.com%2Fhealth%2Ffederal-authorities-work-to-boost-health-care-cybersecurity)* [LinkedIn](https://www.linkedin.com/shareArticle?url=https%3A%2F%2Fwww.govtech.com%2Fhealth%2Ffederal-authorities-work-to-boost-health-care-cybersecurity&mini=true&title=Federal%20Authorities%20Work%20to%20Boost%20Health-Care%20Cybersecurity&summary=Ransomware%20attacks%20against%20the%20health-care%20sector%20put%20lives%20at%20risk%20%E2%80%94%C2%A0and%20they%E2%80%99re%20getting%20worse.%20But%20federal%20authorities%20are%20providing%20free%20cybersecurity%20resources%20to%20foster%20systemwide%20change.&source=GovTech)* [Twitter](https://twitter.com/intent/tweet?url=https%3A%2F%2Fwww.govtech.com%2Fhealth%2Ffederal-authorities-work-to-boost-health-care-cybersecurity&text=Federal%20Authorities%20Work%20to%20Boost%20Health-Care%20Cybersecurity)* Print* [Email](mailto:?body=Federal%20Authorities%20Work%20to%20Boost%20Health-Care%20Cybersecurity%0A%0Ahttps%3A%2F%2Fwww.govtech.com%2Fhealth%2Ffederal-authorities-work-to-boost-health-care-cybersecurity%0A%0ARansomware%20attacks%20against%20the%20health-care%20sector%20put%20lives%20at%20risk%20%E2%80%94%C2%A0and%20they%E2%80%99re%20getting%20worse.%20But%20federal%20authorities%20are%20providing%20free%20cybersecurity%20resources%20to%20foster%20systemwide%20change.) Tags:—–[Health and Human Services](https://www.govtech.com/tag/health-and-human-services)[Ransomware](https://www.govtech.com/tag/ransomware) [](https://www.govtech.com/jule-pattison-gordon) [Jule Pattison-Gordon](https://www.govtech.com/jule-pattison-gordon) Jule Pattison-Gordon is a senior staff writer for *Government Technology.* She previously wrote for PYMNTS and *The Bay State Banner* , and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston. [See More Stories by Jule Pattison-Gordon](https://www.govtech.com/jule-pattison-gordon)
Related Tags:
NAICS: 62 – Health Care And Social Assistance
NAICS: 623 – Nursing And Residential Care Facilities
NAICS: 52 – Finance And Insurance
NAICS: 622 – Hospitals
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 92 – Public Administration
NAICS: 522 – Credit Intermediation And Related Activities
NAICS: 51 – Information
Blog: Government Technology
Associated Indicators: