Massachusetts hospitals have been warned to be on high alert for cybersecurity threats as the war in Ukraine continues.
The warnings have come from several federal and industry organizations, including the White House, FBI, federal Cybersecurity and Infrastructure Security Agency, Healthcare Information and Management Systems Society, and the American Hospital Association.
In a bulletin to hospitals in early March, the CISA told hospitals to have “shields up,” saying “this current environment requires us all to be laser-focused on resilience.” On March 21, President Biden warned that the Russian government was exploring options for “potential cyberattacks.”
“It’s a topical conversation we’re having frequently — what are we doing, are we doing enough, can we do more?” said Bruce Forman, chief information security officer at UMass Memorial Health.
Health care entities in Massachusetts and around the country have been victims of Russia-based cyberattacks in the past. In 2017, hackers with ties to Russia launched a destructive malware called “NotPetya.” According to a federal indictment against the hackers, the malware was aimed at Ukrainian banks, newspapers, and electricity companies.
Yet the malware ultimately ended up infecting US companies, including Nuance Communications, the speech technology giant based in Burlington. That year, Nuance said in a public filing that it lost $92 million because of service disruptions and in remediation costs of its affected transcription services, which are used by many hospitals.
Nuance said that the company follows government and industry intelligence reports related to new tactics and procedures to keep cyberattacks at bay.
“In addition to our robust detection and response operational posture, we are maintaining heightened security measures,” the company said in a statement. “As part of our continuous diligence, we ask that our customers and partners implement similar heightened security measures and notify us of any major incidents.”
Biotech company Merck Pharmaceuticals, headquartered in New Jersey with operations in Massachusetts, also said in a lawsuit against its insurers last year that damage from NotPetya spread to 40,000 computers, resulting in $1.4 billion in losses.
“We’ve been watching the developments on the Russia/Ukraine border mainly because we are concerned, as history has shown us, that we could become collateral damage in a destructive malware attack,” said John Riggi, the national advisor for cybersecurity and risk for the American Hospital Association.
Riggi, a retired senior executive with the FBI, also said Russia could directly target US health care entities as retaliation for economic sanctions. In February, Riggi warned that the Russian ransomware group Conti said it would retaliate if the United States and Western allies used cyber warfare against Russia in the name of Ukraine.
To respond, hospitals have become ever more vigilant. Forman said UMass is updating software programs when companies find vulnerabilities, employing e-mail filtering, and using traditional antivirus software. Hospitals constantly train employees to think twice when they see e-mails that contain links or that ask for credentials, and have security-monitoring capabilities to see and respond to any attacks.
Hospitals have also learned to maintain data backups separate from the rest of their systems in case a ransomware attack cuts off access to internal data.
“The attackers only have to be right once. We have to be right 100 percent of the time,” said Forman, of UMass Memorial.
Cybersecurity threats have been on the rise. Forman said a few years ago that the health system would receive a critical vulnerability announcement from software vendors the hospital works with once or twice a year. Now the hospital is implementing emergency patches once or twice a month.
No tool is perfect, and hospitals also have to be cognizant of the security of their vendors. In December, a cyberattack knocked out Kronos Private Cloud, which UMass uses for payroll and scheduling, disrupting those services for a month.
To further prepare, the American Hospital Association encouraged hospitals to develop four- to six-week continuity plans for the “mission critical” and “life critical” services they rely upon. The association also issued an advisory in partnership with the nonprofit Health Information Sharing and Analysis Center urging health systems to block Internet traffic from the Russia/Ukraine region.
“Because we have suffered the effects of NotPetya and a significant increase in ransomware attacks following NotPetya all through the pandemic, many from Russian-speaking ransomware gangs, it has made us very cautious and proactive to take all the defense measures possible,” Riggi said. “We have a lot of battle scars.”