This is not the time to leave our hospitals unprotected against Cyberattacks
By Allison Peters
On Sunday, as the U.S. Department of Health and Human Services was gearing up its efforts to confront the spread of the coronavirus, officials detected evidence of a possible cyberattack on the agency’s computer systems. On Tuesday, Attorney General William P. Barr suggested that a foreign power might be behind the attack — and promised retaliation.
“When you’re dealing with something like a denial of service attack on HHS during a pandemic, that’s a very grave action for another country to take,” he said. “So, if it is another country doing this, I’m sure the ramifications will be severe.” Sunday’s incident follows a cyberattack on a major covid-19 testing facility in the Czech Republic.
Both of these incidents — though much about them remains unknown — remind us that the United States is still woefully underprepared to deal with cyberthreats. As the covid-19 pandemic expands, U.S. law enforcement entities need to do far more to combat such threats, help the victims and bring the perpetrators to justice.
Imagine a community struggling to confront covid-19 — and imagine what would happen if a cyberattack were to knock its 911 call systems offline or cripple the computer systems in local hospitals.
This is not a far-fetched scenario. Health-care systems, local governments and other critical infrastructure are already top targets for criminal hackers and other malicious cyberactors, who increasingly deploy ransomware to hold victims’ systems or data hostage until victims pay up. Computer security company McAfee recently found that ransomware attacks more than doubled in the first quarter of 2019 alone. A study by Emsisoft found that 764 health-care providers and 113 state and municipal governments and agencies were hit by ransomware last year.
A cyberattack can have devastating financial consequences on a hospital or health-care system even under normal circumstances — but during a pandemic, it could potentially cost lives. During a ransomware attack on Alabama’s DCH Health System last fall, hospitals had to reschedule surgeries and turn away patients. A research paper found that cyberattack recovery efforts taken by hospitals led to an increase in the death rate among certain patients.
First, federal law enforcement and cyberentities need to provide rapid, clear guidance to potential victims of cyberattacks, particularly hospitals, on what to do if they are hit by an attack. Such guidance should include an assurance that targets will receive unequivocal support from the federal government in any needed response. Current guidance from the FBI on ransomware is ambiguous and lacks detail on what help victims will receive in technical support and recovery costs. The federal government needs to revise this guidance to clearly advise on what victims should do if they are hit by this type of attack. In particular, it should clarify whom hospitals can contact at the federal level for support (both technical and financial) should they be hit.
Second, the Trump administration should reverse course and restore the White House cybersecurity coordinator position it eliminated in May 2018. This person can work directly with hospital IT personnel to get them the help they need in a cyberemergency while ensuring that there is proper attention and resources dedicated to these efforts across federal agencies during this time of national crisis.
Third, the federal government needs to move away from the mentality that we can just defend our way out of this problem. Right now, the perpetrators of these attacks operate with pure impunity because there have rarely been any consequences for their actions. Our research has found that less than 1 percent of cyberincidents in the United States ever result in arrest of the perpetrators. Boosting international cooperation on this front has faced countless obstacles.
The U.S. Cyberspace Solarium Commission, a blue-ribbon commission established by Congress in 2019, recently released a report proposing a number of useful recommendations, including boosting law enforcement cybercapabilities and reestablishing a stand-alone State Department cyberbureau that would help bring to justice cybercriminals in other countries. That would be a good first step. Congress needs to act urgently on these and other actions to boost the government’s ability to impose consequences on the perpetrators of these attacks.
The federal government’s top priority right now should be fighting this pandemic — anything else is a distraction. Hospitals and other critical institutions are already doing everything in their power to keep going. In this make-or-break environment, cyberattacks can have a devastating impact. That is why the federal government needs to implement measures to provide fast support to victims and double down on its efforts to bring perpetrators to justice.
Our health-care system has never been tested as it will be in the next few weeks and months of the covid-19 pandemic. The government needs to get ready.