Experts Tell U.S. House Subcommittee: Healthcare Unprepared to Respond to Ransomware
In May 2021, a ransomware attack crippled the San Diego-based Scripps Health system. During a recent hearing in the U.S. House of Representatives, House members heard about some of the ramifications of that attack and how unprepared health systems are in general to defend against or respond to ransomware threats.
The U.S. House of Representatives’ Subcommittee on Oversight and Investigations of the Committee on Energy and Commerce held a hearing on July 20 entitled, "Stopping Digital Thieves: The Growing Threat of Ransomware."
One of the speakers was Christian Dameff, M.D., a practicing emergency medicine physician who serves as medical director of cybersecurity for UC San Diego Health, the first position of its kind in the United States.
The ransomware incident at Scripps forced the health system’s main hospitals to switch to paper records as serious emergencies were diverted to other hospitals. In his written testimony to Congress, Dameff, said, “Two months ago, a ransomware attack disabled five large hospitals in the San Diego area for an entire month. Adjacent hospitals were quickly overwhelmed with unprecedented numbers of emergency room patients, many of whom had serious, time-dependent illnesses,” he said. “Wait times skyrocketed. Hospital beds rapidly filled. Clinicians caring for very sick patients lacked vital medical records from the infected hospitals. I saw firsthand the ‘spill-over’ effects and understood that the vulnerability of one hospital is the vulnerability of many hospitals.”
Dameff reminded the House members that ransomware attacks affecting the healthcare sector are increasing in frequency, sophistication, and disruptive potential. In addition to the exposure of sensitive data, severe financial losses, and reputational damage, a cyber attack on a hospital has the potential to threaten life and limb, he stressed. “When patients suffer from strokes, heart attacks, or severe infections, minutes matter. The best outcomes for patients with these time-dependent crises depend on the immediate, continuous availability of the same digital systems that ransomware can disrupt. When critical medical systems go offline, our opportunity to save lives diminishes. Our risk of error or misdiagnosis increases. We are now learning that cyber attacks impact not just infected hospitals, but the surrounding healthcare ecosystem at large.”
Dameff noted that when he was young, his fascination with computers and networks led him to the hacking community, who taught him to appreciate the complexity and fragility of modern computer systems. “Today, I use that knowledge to improve the cybersecurity of healthcare. My research focuses on the patient safety and care quality effects of cyber attacks. At my core, I am an Emergency Medicine doctor. I am trained to care for any patient who comes through the doors whether they suffer trauma, heart attack, stroke, or COVID. I am here today to tell you healthcare is not prepared to defend or respond to ransomware threats.”
Along with recommendations from those in other fields, Dameff noted that healthcare has unique challenges which he believes necessitate additional actions.
• First, the effects of ransomware attacks on patients’ health should be scientifically studied, just like diseases such as diabetes. Most hospitals are not currently equipped to measure or report the impact of these attacks. Dameff recommends the development of standardized metrics of cyber attack severity on hospitals. Mandatory reporting of patient safety and care quality outcomes should occur for severe attacks. Additionally, he recommends that federal agencies such as the National Institutes of Health (NIH) and the National Science Foundation (NSF) prioritize funding for research on this topic.
• Second, he noted, identifying cybersecurity vulnerabilities before they are exploited will protect patients. “There is currently a disparity between what I call the healthcare cybersecurity haves and have-nots. Lesser-resourced critical access and rural hospitals need help increasing their preparedness,” Dameff said. “As we seek to protect vulnerable hospitals, we must also avoid overly punitive measures for those unfortunate enough to fall victim to highly complex or novel cyber attacks, understanding that stiff fines or penalties may worsen an already devastating operational impact. We are only as strong as our least defended communities.”
• Third, Dameff said he supports software bill of materials (SBOM) as one mechanism to increase transparency around cybersecurity vulnerabilities. SBOM enables manufacturers and healthcare delivery organizations to take more proactive steps to manage their cybersecurity risk. He also recommends ongoing support and legal protections for security researchers engaging in good-faith security research, otherwise known as coordinated vulnerability disclosure. “We need help from ethical hackers if we are going to defeat the malicious ones,” he said.
• Fourth, we must prepare hospitals for inevitable attacks, he said. “The ability to rapidly deploy backup manual patient care systems is key to reducing harms to patients. Such contingency planning takes resources and expertise.”
Dameff concluded by applauding the committee’s leadership on ransomware response and said he remains optimistic about improving cyber resilience in healthcare. “Our patients deserve excellent care. Ransomware and other cyber attacks targeting hospitals threaten our ability to deliver that care, as it’s needed- when minutes matter.”
Another expert testifying before the subcommittee, Philip Reiner, CEO of the Institute for Security and Technology, urged Congress to create a ransomware response fund to support victims in refusing to make ransomware payments. He also recommended that Congress require organizations and incident response entities to share ransomware payment information with a national government prior to payment.
“Ransomware is a solvable problem, but currently it is metastasizing at an alarming rate,” Reiner said. “The ransomware problem will only continue to worsen if not addressed in a comprehensive fashion.”